Yahoo Mail XSS by just sending an E-mail

Vulnerability Type: Cross Site Scripting (XSS)
  • Reported on 18-03-2014
  • Fixed on 28-04-2014
#Denied with reason:
I'm closing this report as the bug is no longer valid. It is possible it was fixed due a duplicate report or it was fixed with a product update.
Steps to reproduce:

Use any E-mail service that allow us to use special characters in 'Name' while sending an E-mail.

There are many out there but we will use Yandex as an example here. (You can also use-

1. Login to your Yandex Account (or Create New) and go to

2. Set your name as:

" onmouseover=alert(0) a

and click on 'Save Changes' button.

3. Now, Go to

In 'To' field, write your own Yahoo Email Address. Fill other required fields (if any) and send the message.

4. Check your Yahoo Inbox. Click on [onmouseover=alert(0) a] name and move your mouse over 'New Message'.

You will see pop-up due to XSS vulnerability.

Proof Of Concept [Image]:

Proof Of Concept [Video]: