XML/RSS feeds EarthWeb IT Management news and headlines Inside ID headlines See more EarthWeb Network RSS feeds FREE Tech Newsletters Inside ID Weekly Inside ID Events ITSMWatch HTML Instant Messaging Planet HTML CIO Update CodeGuru Update Enterprise Networking Planet Practically Networked HTML Enterprise Storage Forum HTML Optically Networked HTML Intranet Journal Update Datamation IT Management Careers Datamation IT Management Update Executive Tech HTML Developer.com Update Gamelan Java Update Goodies to Go Javascript Weekly HTML JARS Java Update OpenSource Update SysOpt Tech Notes Grid Computing Planet HTML E-Security Planet HTML Virtual Dr. Text

Yahoo Mail Hit by Scripting Vulnerability
June 21, 2008
By Sean Michael Kerner

Fleeing employees and irate shareholders aren't the only things that Yahoo is worrying about these days.

The embattled search portal is also fighting the good fight against security vulnerabilities.

Yahoo has admitted that its Yahoo Mail online e-mail service was at risk from a Cross Site Scripting (XSS) vulnerability.

XSS flaws are among the most common and risky type of vulnerability in Web-based applications potentially allowing attackers to steal users' information or infect them with malicious code.

"Cenzic's CIA [Cenzic Intelligent Analysis] Research Lab notified Yahoo on May 23," Mandeep Khera, Cenzic's vice president, toldInternetNews.com.

After investigating and confirming that it's a serious vulnerability, the Yahoo team jumped on it pretty quickly and fixed the vulnerability by June 13.

Cenzic allowed extra time to make sure that Yahoo updated all its servers including the partner servers before announcing it publicly."

Yahoo spokesperson Kelley Podboy confirmed to InternetNews.com that there was in fact an XSS issue reported by Cenzic and that the issue has been resolved. Yahoo was not aware of the issue prior to it being reported by Cenzic.

"In this case Cenzic acted responsibly by reporting the issue directly to Yahoo! so that we could quickly resolve it," Podboy said.

According to Yahoo, there were not any users who were affected or negatively impacted by the XSS issue.

Cenzic's Khera, however, added a grain of salt to the questions of whether or not any Yahoo mail users were affected by the XSS vulnerability.

"We are not aware of any attacks around this issue in the wild out there," Khera said. "However, with a quarter of a billion Yahoo Mail users, it's probable that this vulnerability was exploited against some users. Hackers are getting much smarter and don't necessarily announce their conquests," Khere said. "By keeping it hidden, they can continue to exploit the vulnerabilities for a long time."

The actual XSS vulnerability actually involves both Yahoo Mail and Yahoo Messenger, which are now both integrated in the online application. According to Cenzic's description of the XSS vulnerability, while chatting, an attacker could have changed their status to 'invisible' which would trigger an 'offline' message in the users chat tab.

"The vulnerability occurred when the attacker then changed status, and sent a custom message containing a malicious string in the form of a status message of "online," with the script executed in the context of Yahoo Mail on the victim's machine," Cenzic noted in its advisory.

"This allowed an attacker to get active access to the victim's session ID, and in turn steal their Yahoo identity, exposing sensitive personal information stored in their Yahoo account."

This article was first published on InternetNews.com.