- 12 myths about how the Internet works
- Smartphone smackdown: Storm vs. iPhone
- IETF: Should we ignore the Kaminsky bug?
- Top 10 wicked cool algorithms
- How to recession-proof yourself
Yahoo says it has fixed a vulnerability in Yahoo Mail that might have allowed savvy hackers to steal a victim's Yahoo identity and gain access to private information (Compare Data Leak Protection products).
Discovered by security vendor Cenzic last month, the underlying problem was a cross-site scripting (XSS) vulnerability that affected its current version of Yahoo Messenger and its new Yahoo Mail client Version 9, still in beta.
Cenzic vice president of marketing Mandeep Khera said the fix to the XSS vulnerability involves necessary changes in Yahoo servers, so users don’t have to download new Yahoo applications. “We don’t know how many users might have been exploited before this was fixed,” he said. “Potentially this was huge in terms of identity theft.”
“We are aware of the cross-site scripting vulnerability recently discovered in Yahoo Mail and we have completely resolved the issue as of June 13,” said Yahoo spokeswoman Kelley Podboy. “To our knowledge, the vulnerability was not exploited and users were not impacted. Yahoo takes user security very seriously as we continue our efforts to combat potential threats.”
Cenzic described how an attacker would have exploited the cross-site scripting vulnerability in Yahoo Mail prior to June 13. According to Cenzic, the attacker would be using the Yahoo Messenger desktop application 8.1.0.209 while chatting with the victim. The victim would need to be using the Messenger support in the new Yahoo Mail Web application.
A new chat tab would open in the victim’s browser. During the chat, the attacker could change their status to “invisible,” causing a message of “offline” in the chat tab of the victim. During this change of status, a savvy attacker could then send a custom message containing a malicious string in the form of a status message of “online,” with the script executed in the context of Yahoo Mail on the victim’s machine.
This would have allowed the attacker to get access to the victim’s session ID, and in turn steal their Yahoo identity, as well as exposing personal information stored in the Yahoo account.
“This vulnerability exposed millions of Yahoo users to the possibility of identity theft,” Khera pointed out.
Cenzic analysts alerted Yahoo to the findings of the cross-site scripting vulnerability last month, and Yahoo, which says it corrected the problem in June, is publicly disclosing the matter today.
Rss FeedRss Feed
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 The Leader in Network Knowledge© 1994-2008 Network World, Inc. All rights reserved. |
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask prospective vendors to get the right endpoint solution.
Download the white paper.
Applications: taking back control
Employees installing unauthorized applications is a growing threat to business security and productivity. Cost-effectively reduce this threat by integrating control into your malware protection.
Learn more today.
Comments (5)
Adobe InDesign CS3By Anonymous on June 29, 2008, 6:05 pmAdobe InDesign CS3
Reply | Read entire comment
The Article helps.By Anonymous on June 26, 2008, 6:29 amThis article helps a lot by actually explaining how the vulnerability can be exploited. We are living in an increasingly insecure world and getting more dependant...
Reply | Read entire comment
e mail off againBy Anonymous on June 26, 2008, 5:34 amI see that this morning all yahoo mail is not loading. Is this in anyway resolvable? Yahoo user
Reply | Read entire comment
Hope this is fixedBy Anonymous on June 25, 2008, 1:30 pmI hope the afore mentioned problem is now actually fixed.
Reply | Read entire comment
An important findBy Anonymous on June 25, 2008, 12:18 pmI am a regular yahoo user and these types of loopholes make my account all the more vulnerable. I hope there aren't any further findings like this in the yahoo...
Reply | Read entire comment
View all comments