Yahoo Mail XSS by just sending an E-mail

Vulnerability Type: Cross Site Scripting (XSS)
  • Reported on 18-03-2014
  • Fixed on 28-04-2014
#Denied with reason:
I'm closing this report as the bug is no longer valid. It is possible it was fixed due a duplicate report or it was fixed with a product update.
Steps to reproduce:

Use any E-mail service that allow us to use special characters in 'Name' while sending an E-mail.

There are many out there but we will use Yandex as an example here. (You can also use- http://emkei.cz/)

1. Login to your Yandex Account (or Create New) and go to https://mail.yandex.com/neo2/#setup/sender

2. Set your name as:

" onmouseover=alert(0) a

and click on 'Save Changes' button.

3. Now, Go to https://mail.yandex.com/neo2/#compose

In 'To' field, write your own Yahoo Email Address. Fill other required fields (if any) and send the message.

4. Check your Yahoo Inbox. Click on [onmouseover=alert(0) a] name and move your mouse over 'New Message'.

You will see pop-up due to XSS vulnerability.

Proof Of Concept [Image]:


Proof Of Concept [Video]:


Post a Comment