Bountiful! Yahoo! Plugs! Mail! Spoofing! Bug!
Want email@example.com? Just edit the POST in a mail
Yahoo! has plugged a sender spoofing bug in its mail service turned up by independent researcher Lawrence Amer.
The medium-rated bug in the compose message module allowed attackers to spoof Yahoo! e-mail sender names in the company's classic Web interface.
Since patched, the bug allowed an attacker to edit the sender name in the Web app's POST/GET method.
In other words, having logged in under your own name, you could perform the attack by opening up the developer tools in your browser of choice, finding your address in the code, and editing it with that of the account you want to spoof.
Its the second bug in Yahoo! Mail to get patched this year. In January, the company awarded a Finnish bug-hunter US$10,000 for turning up a cross-site-scripting (XSS) bug in the platform.
Amer has submitted the bug to Yahoo!'s bug bounty program via Vulnerability Labs, and his Hackerone profile notes that the bug was resolved two weeks ago.
Amer's proof of concept video is below. ®