We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
79,629 News Articles

Yahoo Mail cross-scripting bug fixed

Vulnerability allowed hackers to send spam

Yahoo has fixed a vulnerability in its webmail site that could allow a hacker to get access to a person's account.

The problem was in the way Yahoo's webmail interacts with version 8.1.0.209 of its instant messaging (IM) desktop application, according to web application security company Cenzic.

Cenzic notified Yahoo of the problem in May, and the company fixed it on June 13.

If a hacker using the IM application starts chatting with a victim who is using the IM function of Yahoo's web email, a new chat tab is opened in the victim's web browser. The attacker can then manipulate his presence status message to send a malicious script via IM. That script would then be executed in the context of Yahoo's email service on the person's PC.

The script can reveal the victim's session ID to the attacker, who can then get access to information stored in that account, Cenzic said.

Cenzic classified the vulnerability as a cross-site scripting flaw, where scripts or commands from one web application that shouldn't run in another are successfully executed. Security experts contend that cross-site scripting vulnerabilities are rampant on websites, posing dangerous risks to web users.

Once in control of the account, the hacker could send spam. Yahoo and other free email providers such as Microsoft have seen increasing use of their services for spam.

That's in part because the CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) security feature, which requires users to decode a jumble of distorted characters, has been increasingly defeated by machine-based processing.

The vulnerability would also allow access to a person's IM contacts. The hacker can then send instant messages purporting to be from a legitimate contact but with links leading to sites that try and exploit vulnerabilities in a person's web browser or operating system.


IDG UK Sites

iPhone 6 release date, price, specs and new features: Convincing leaked photos show iPhone 6

IDG UK Sites

Gateway to your kingdom: why everybody should check and update their broadband router

IDG UK Sites

Netflix whips up 3D VR viewing room for Oculus Rift during company hack day

IDG UK Sites

Best Mac? Complete Apple Mac buyers guide for 2014