Today's Hard|Forum Post
Today's Hard|Forum Post

Thursday March 17, 2016

Yahoo Fixes Email Address Spoofing Bug

I wonder how long this was an issue before this guy discovered it? As easy as this was to pull off, I'm actually surprised hackers weren't exploiting this already.

Remote attackers are able to spoof the sender name of yahoo email users to send a spoofed sender with spoofed content. After investigation in the vulnerability we discovered that it is located in the yahoo classic web application product. Attackers are able to perform the malicious interaction via the yahoo classic mail service. The vulnerability is located in the `compose message` module of the web service. The request method to inject or intercept as reply is POST.