Security Bytes

Jun 25 2008   12:19PM GMT

Yahoo Mail flaw found and fixed

Marcia Savage Marcia Savage Profile: Marcia Savage


Researchers at Cenzic discovered a vulnerability in Yahoo Mail that could allow attackers to steal Yahoo identities and potentially access users’ sensitive information.

The company, a Web application security provider based in Santa Clara, Calif., notified Yahoo of the cross-site scripting flaw in its popular Web mail program on May 23, and Yahoo fixed it on June 13.

The vulnerability requires the attacker to use Yahoo Messenger desktop application version to chat with someone using the Messenger support in the latest version of Yahoo Mail. An attacker can make their chat status “invisible” and craft a malicious message; when he/she returns to the chat and the user clicks on the message, the malicious scripting is executed, said Mandeep Khera, Cenzic vice president of marketing.

The vulnerability could allow an attacker to access a Yahoo Mail user’s session ID and steal their Yahoo identity, which could expose sensitive information stored in their Yahoo account, according to Cenzic.

Cenzic researchers hadn’t heard of any actual attacks exploiting the vulnerability, but Khera said he wouldn’t be surprised if attackers had figured it out and were keeping it quiet. Attackers prefer to quietly exploit vulnerabilities for financial gain, he said.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: