This vulnerability report describes how an attacker could obtain access to (pressumably) any Yahoo! Mail account by resetting the password through recovery email which was re-registered after previously deactivated (because of inactivity) by an external freemail provider. Or, reset the password of a Yahoo! Mail account whose recovery email's domain was hijacked or has been purchased by a third-party entity, which can reset the linked accounts by just using the reset-password-mechanism.
Many freemail providers like Microsoft's Outlook/Hotmail (or maybe Yahoo! Mail) emails are being automatically deactivated due to account inactivity (eg. not being able to login after 5 years). This means that the said auto-deactivated email addresses are now free for any user to re-register. BUT WHAT IF -- a stranger re-registered the email address which was linked as a recovery email to a currently active Yahoo! Mail account? This is where the exploit can be used: The stranger can now use the standard process of resetting the password or obtain access to a Yahoo! Mail account by sending a code to the hijacked recovery email.
Same problem goes to when a Yahoo! Mail account was linked to a recovery email in an email address of a private domain like "example.com" which was then bought by a no-longer affiliated entity, who can also access the recovery emails of the Yahoo! Mail accounts.
Browsers Verified In:
- Google Chrome Version 68.0.3440.106 (Official Build) (64-bit)
Steps to Reproduce:
(Add details for how we can reproduce the issue)
- Create an account in Microsoft Outlook/Hotmail or any email provider. (eg. email@example.com)
- Create a new Yahoo! Mail accocunt. (eg. firstname.lastname@example.org)
- Link the old email address as a recovery email to the new Yahoo! Mail account.
- Wait until the old email account (recovery email) has been deactivated due to inactivity. (This could take a very very very long time)
- The attacker re-registers the my old email account as his/her own email.
- The attacker resets my password using my old email account as a recovery email to hack my Yahoo! Mail account.
The attacker could obtain full access to the victim's account which could lead to countless issues like frauds and hacks on other social media accounts.
I have posted a bug report on Yahoo! Mail's HackerOne bug tracker and this is what I got: