security

Yahoo! Mail: Expired/Inactive Recovery Email Exploit on Resetting Passwords

Summary:

This vulnerability report describes how an attacker could obtain access to (pressumably) any Yahoo! Mail account by resetting the password through recovery email which was re-registered after previously deactivated (because of inactivity) by an external freemail provider. Or, reset the password of a Yahoo! Mail account whose recovery email's domain was hijacked or has been purchased by a third-party entity, which can reset the linked accounts by just using the reset-password-mechanism.

Description:

Many freemail providers like Microsoft's Outlook/Hotmail (or maybe Yahoo! Mail) emails are being automatically deactivated due to account inactivity (eg. not being able to login after 5 years). This means that the said auto-deactivated email addresses are now free for any user to re-register. BUT WHAT IF -- a stranger re-registered the email address which was linked as a recovery email to a currently active Yahoo! Mail account? This is where the exploit can be used: The stranger can now use the standard process of resetting the password or obtain access to a Yahoo! Mail account by sending a code to the hijacked recovery email.

Same problem goes to when a Yahoo! Mail account was linked to a recovery email in an email address of a private domain like "example.com" which was then bought by a no-longer affiliated entity, who can also access the recovery emails of the Yahoo! Mail accounts.

Browsers Verified In:

  • Google Chrome Version 68.0.3440.106 (Official Build) (64-bit)

IP Address:

  • 110.54.132.199

Steps to Reproduce:

(Add details for how we can reproduce the issue)

  1. Create an account in Microsoft Outlook/Hotmail or any email provider. (eg. old.email@outlook.com)
  2. Create a new Yahoo! Mail accocunt. (eg. new.email@yahoo.com)
  3. Link the old email address as a recovery email to the new Yahoo! Mail account.
  4. Wait until the old email account (recovery email) has been deactivated due to inactivity. (This could take a very very very long time)
  5. The attacker re-registers the my old email account as his/her own email.
  6. The attacker resets my password using my old email account as a recovery email to hack my Yahoo! Mail account.

Supporting Material/References:

None

Impact

The attacker could obtain full access to the victim's account which could lead to countless issues like frauds and hacks on other social media accounts.

Update

I have posted a bug report on Yahoo! Mail's HackerOne bug tracker and this is what I got:

0 Comments
0 Comments
/

ShortLink v0.1.5

ChangelogImproved CachingFooter text can now be customizedFix broken link if URI is modifiedAssets are now built-in; no more hotlinkingAutocreate ShortLink if Custom ShortLink is already

/

ShortLink v0.1.0

ChangelogWeb UI OverhaulSelf-host All CSS and JavaScript AssetsGoogle reCAPTCHA Service IntegrationXSS Vulnerability Patchedmailto:user@example.com Incompatibility Bug FixedImproved JavaScript copy-to-clipboard FunctionHTML Clutter CleanupView on