Yahoo email gets fix to nix sender-spoofing trickery

The flaw allowed attackers to send their intended scamming victims email from Yahoo addresses that seemed legit.

Charlie Osborne
Charlie Osborne Contributing Writer
Charlie Osborne is a cybersecurity journalist and photographer who writes for ZDNet and CNET from London. PGP Key: AF40821B.
2 min read
Enlarge Image

Yahoo has patched a flaw in its email code that could have been exploited in phishing scams.

Ed Rhee/CNET

Yahoo has patched a vulnerability in its email service that allowed cyberattackers to spoof Yahoo email addresses.

The bug was discovered by independent researcher Lawrence Amer and published through Vulnerability Lab on Full Disclosure. On Monday, the security researcher released details of the flaw publicly, saying the sender-spoofing vulnerability affected the Yahoo webmail application.

Cyberattackers are able to remotely spoof the sender names of Yahoo email users through a vulnerability found within the "compose message" module of the Web service. A weakness in the system permits users to inject or intercept traffic in the POST/GET parameters, spoofing the email address to whatever sender name they wish.

This vulnerability is a problem as spoofed email addresses are often used in spear-phishing campaigns -- fraudulent emails sent for the purposes of information theft or to dupe victims into installing malware on their systems. If a user receives an email from a spoofed Yahoo address that seems legitimate, they may be more likely to fall for such a campaign.

The exploit is considered a medium severity issue, and the vulnerability has now been fixed. If you'd like, you can view the researcher's proof-of-concept video.

Yahoo was made aware of the flaw in October last year, and the Sunnyvale, California, company's developers were able to create a patch to fix the issue at the end of February. Amer submitted the email security flaw through Yahoo's Bug Bounty program, hosted on HackerOne. It's not known how much he earned for his work.

This story originally appeared at ZDNet under the headline "Yahoo patches sender spoofing email vulnerability."