Cross Domain Policy Bug in Yahoo Mail
Researcher Demonstrate Cross Domain Policy Bug in Yahoo Mail, Cross Domain Policy vulnerability hacking yahoo mail, information security experts, ethical hacking, secure you email, secure email server,end-to-end encryption
A Canadian security researcher, Jordan Milne had found a Cross Domain Policy vulnerability on Yahoo mail service. The loose Cross Domain Policy was for the flash request on Yahoo mail that puts Yahoo mail service under threats. By exploiting the vulnerability attacker can read the victims mails, read contacts, overall can have a full control on the account.
A cross-domain policy file is an XML document that grants a web client, such as Adobe Flash Player or Adobe Acrobat (though not necessarily limited to these), permission to handle data across domains. When clients request content hosted on a particular source domain and that content make requests directed towards a domain other than its own, the remote domain needs to host a cross-domain policy file that grants access to the source domain, allowing the client to continue the transaction.
“Once you have control of someone’s email, you have the keys to their digital life. You can silently trigger password resets for all of their accounts, pull the reset tokens right out of their emails, then change the recovery emails on the accounts so the victim can’t get them back,” Milne said.
For reporting the vulnerability, Yahoo team awarded him a reward of $2,500 USD as part of their bounty program.