White-hat bug hunter Jordan Milne disclosed a problem with a loose cross-domain policy for Flash requests on Yahoo Mail that put email message content, contact information and much more at risk. Milne said the weakness is relatively simple to exploit and puts users at high risk for data loss, identity theft, and more. He received a $2,500 bounty for reporting the vulnerable.swf file, but he cautions Yahoo there could be deeper trouble. The lax crossdomain.xml rules are the real problem, Milne says.
Source: https://threatpost.com/researcher-lax-crossdomain-policy-puts-yahoo-mail-at-risk/109849/