Yahoo fixes email cross-site scripting flawJune 26, 2008 – 5:53 AM
Yahoo has fixed a vulnerability that could allow a hacker to get access to a person’s webmail account.
The problem was in the way Yahoo’s mail interacts with version 220.127.116.11 of its IM application, according to web application security company Cenzic.
Cenzic notified Yahoo of the problem in May, and the company has now fixed it.
If a hacker using the IM application starts chatting with a victim who is using the IM function of Yahoo’s web email, a new chat tab is opened in the victim’s web browser. The attacker can then manipulate his presence status message to send a malicious script via IM. That script would then be executed in the context of Yahoo’s email service on the person’s PC.
The script can reveal the victim’s session ID to the attacker, who can then get access to information stored in that account, Cenzic said.
Cenzic classified the vulnerability as a cross-site scripting flaw, where scripts or commands from one web application that shouldn’t run in another are successfully executed. Security experts contend that cross-site scripting vulnerabilities are rampant on websites, posing dangerous risks to web users.