Yahoo Mail Suffered from XSS Vulnerability |
Written by Rebecca Mints |
Thursday, 26 June 2008 09:20 |
Cenzic’s CIA [Cenzic Intelligent Analysis] Research Lab notified Yahoo on May 23 that Yahoo Mail is facing serious risk from online attackers due to a Cross Site Scripting (XSS) vulnerability.
Yahoo quickly fixed the XSS vulnerability reported by Cenzic last June 13. It also said that Yahoo did not receive any complaints from Yahoo Mail and Messenger users who were affected negatively by the XSS vulnerability.
According to Cenzic’s description of the XSS vulnerability, while chatting, an attacker could have changed their status to ‘invisible’ which would trigger an ‘offline’ message in the users chat tab. "The vulnerability occurred when the attacker then changed status, and sent a custom message containing a malicious string in the form of a status message of online, with the script executed in the context of Yahoo Mail on the victim’s machine," Cenzic noted in its advisory. "This allowed an attacker to get active access to the victim’s session ID, and in turn steal their Yahoo identity, exposing sensitive personal information stored in their Yahoo account."
Although yahoo clames to have not recieved any complaints we find it hard to belive that out of the billion of yahoo users that nobody was effected by such an easy exploit. |