Yahoo fixes e-mail cross-site scripting flaw

Yahoo has fixed a vulnerability in its e-mail program that could allow a hacker to get access to a person's account.

Yahoo has fixed a vulnerability in its Web mail site that could allow a hacker to get access to a person's account.

The problem was in the way Yahoo's Web mail interacts with version 8.1.0.209 of its instant messaging (IM) desktop application, according to Web application security company Cenzic.

Cenzic notified Yahoo of the problem in May, and the company fixed it on June 13.

If a hacker using the IM application starts chatting with a victim who is using the IM function of Yahoo's Web e-mail, a new chat tab is opened in the victim's Web browser. The attacker can then manipulate his presence status message to send a malicious script via IM. That script would then be executed in the context of Yahoo's e-mail service on the person's PC.

The script can reveal the victim's session ID to the attacker, who can then get access to information stored in that account, Cenzic said.

Cenzic classified the vulnerability as a cross-site scripting flaw, where scripts or commands from one Web application that shouldn't run in another are successfully executed. Security experts contend that cross-site scripting vulnerabilities are rampant on Web sites, posing dangerous risks to Web users.

Once in control of the account, the hacker could send spam. Yahoo and other free e-mail providers such as Microsoft have seen increasing use of their services for spam.

That's in part because the CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) security feature, which requires users to decode a jumble of distorted characters, has been increasingly defeated by machine-based processing.

The vulnerability would also allow access to a person's IM contacts. The hacker can then send instant messages purporting to be from a legitimate contact but with links leading to sites that try and exploit vulnerabilities in a person's Web browser or operating system.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

GGG Evaluation Team

Michael Hargreaves

Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?