Jyväskylä-based bug hunter Jouko Pyynönen hit pay dirt in late December when he decided to test whether Yahoo Mail filters actually protected nearly 300 million users from harmful HTML code in their incoming mail.
It turns out it didn’t. Tests by Pyynönen, who works with the IT company Klikki, fed the system an email message containing "all known HTML tags and attributes" to see if any could evade the filters. The test revealed that certain irregular HTML code could pass the filter. This created an opening for wrongdoers to embed malicious JavaScript into code into a specially formatted email message.
"Running the malware didn’t require the user to open an attachment or click on any links, the code would just start working when the user opened the email," Pyynönen told Yle.
Once a Yahoo Mail user opens such an innocuous-looking message an attacker could then take over the user’s email account, change account settings and use it to forward or send emails without the user’s consent. The attacker could also use the hijacked email account to distribute other malware.
Pyynönen reported the bug to Yahoo! in late December via the HackerOne bug bounty platform, a collaborative vulnerability management site fronted by some of world's the biggest technology firms, including Facebook, Microsoft and Google.
Yahoo! moved to patch the gap just one week after it was reported and rewarded the cyber sleuth for his work, paying him 10,000 US dollars (more than 9,000 euros). Yahoo’s maximum reward in its bug detection programme is 15,000 US dollars.
"As far as I know no one managed to exploit the vulnerability," Pyynönen said.
Cyber criminals purchase vulnerabilities
As part of his work, Pyynönen comes into contact with business activity that revolves around cyber security weaknesses. He said that there is a group of companies ready to pay for technology flaws.
In addition legal trade in vulnerabilities, a number of entities operate on the shady side of the law, and may involve cyber criminals and cyber espionage agents who need information about vulnerabilities to plan their attacks.
Pyynönen said that the best option for bug hunters is to report their findings to software owners.
"This bug bounty was smaller than what certain companies can pay for it, but if I work with them I can never be sure where the information about the vulnerability will end up. Informing the application owner is on a stronger ethical footing," he noted.
Yahoo! said that last year it paid out bounties of 1,000 dollars on average to 40 bug hunters, making the company’s 10,000-dollar payout to Pyynönen one of the largest ever.
Last week Pyynönen received another financial reward for a vulnerability that he had identified at the beginning of 2015.
The HackerOne bug bounty panel forked out a total of 9,000 US dollars (just over 8,000 euros) for three Flash player bugs.
In recent years, software companies have been willing to shell out increasingly larger bounties for security flaws, making Pyynönen’s bug hunting activities particularly lucrative.
"I have compared this to mining. Sometimes you work for days or weeks without success, but this time it took only a few days to find the flaw," Pyynönen remarked.