Please support our Web Development advertiser: Programming Forums
Featured Entry 
Jun 26th, 2008, 10:56 pm
Heads up users of Yahoo Mail. A cross-site scripting vulnerability has been discovered that could allow hackers to steal a user’s session IDs and ultimately private information, according to a report yesterday from security risk assessment firm Cenzic.
In an excerpt from the Cenzic blog post, the company reports:
“If the attacker is using the Yahoo! Messenger desktop application 8.1.0.209 to chat with the victim, and the victim is using the Messenger support in the new Yahoo! Mail Web application, it will cause a new chat tab to open in the victim’s browser. While chatting, the attacker can change their status to ‘invisible,’ causing a message of ‘offline’ in the chat tab of the victim. The vulnerability occurred when the attacker then changed status, and sent a custom message containing a malicious string in the form of a status message of ‘online,’ with the script executed in the context of Yahoo! Mail on the victim’s machine. This allowed an attacker to get active access to the victim’s session ID, and in turn steal their Yahoo! identity, exposing sensitive personal information stored in their Yahoo! account.”
Cenzic immediately reports such vulnerabilities, when discovered, to at-risk vendors that subscribe to its services. Yahoo was alerted to the flaw in May, according to Cenzic, and reports that as of June 13 the vulnerability has been eliminated.
This vulnerability was reported by Mandeep Khera, Cenzic’s vice president of marketing. Khera serviced in similar roles at security giant VeriSign, Maaya, a Web-services support company.
In an excerpt from the Cenzic blog post, the company reports:
“If the attacker is using the Yahoo! Messenger desktop application 8.1.0.209 to chat with the victim, and the victim is using the Messenger support in the new Yahoo! Mail Web application, it will cause a new chat tab to open in the victim’s browser. While chatting, the attacker can change their status to ‘invisible,’ causing a message of ‘offline’ in the chat tab of the victim. The vulnerability occurred when the attacker then changed status, and sent a custom message containing a malicious string in the form of a status message of ‘online,’ with the script executed in the context of Yahoo! Mail on the victim’s machine. This allowed an attacker to get active access to the victim’s session ID, and in turn steal their Yahoo! identity, exposing sensitive personal information stored in their Yahoo! account.”
Cenzic immediately reports such vulnerabilities, when discovered, to at-risk vendors that subscribe to its services. Yahoo was alerted to the flaw in May, according to Cenzic, and reports that as of June 13 the vulnerability has been eliminated.
This vulnerability was reported by Mandeep Khera, Cenzic’s vice president of marketing. Khera serviced in similar roles at security giant VeriSign, Maaya, a Web-services support company.
This blog entry was written by Edward J Correia, staff writer aka EddieC. It has received 1,146 views, 0 comments, and 3 linkbacks. It was promoted to featured status Jun 26th, 2008.
•
•
•
•
advice antivirus apple ballmer botnet browser business crime daniweb data development email encryption exploit forensic google government hacker hacking help icahn information internet iphone linux malware mcafee merger microsoft mobile news phishing privacy report research search security spam spyware terrorism trojan virus vista vulnerability web windows worm yahoo yang
All Recent Tags Post Comment
•
•
•
•
Only community members can start a blog or comment on blog entries. You must register or log in to contribute.
•
•
•
•
•
•
•
•
DaniWeb Web Development Marketplace
Related Blog Entries
- CMG: Free Performance Data and White Papers (1 Day Ago)
- Ballmer To Apple: Divorce Hardware and Software (5 Days Ago)
- Google Phone Feeding Frenzy (7 Days Ago)
- Flash May Soon Brighten the iPhone (10 Days Ago)
- One small step for Google, one giant leap for Flash Designers! (11 Days Ago)
- Microsoft shows JQuery some love (11 Days Ago)
- Q and A with Electric Cloud CEO Mike Maciag (12 Days Ago)
- Unlocked iPhone 3Gs Now at Apple Store (12 Days Ago)
- Firefox 3.03 Released. (12 Days Ago)
- Apple Updates Its Java VM (13 Days Ago)
Related Forum Threads
- Browser Battle -- Your TOP Pick! (Geeks' Lounge)
