Yahoo Mail Hit by Scripting Vulnerability

Vendor admits it had a serious security flaw, but was anyone hurt?

Fleeing employees and irate shareholders aren't the only things that Yahoo is worrying about these days.

The embattled search portal is also fighting the good fight against security vulnerabilities.

Yahoo has admitted that its Yahoo Mail online e-mail service was at risk from a Cross Site Scripting (XSS) vulnerability.

XSS flaws are among the most common and risky type of vulnerability in Web-based applications potentially allowing attackers to steal users' information or infect them with malicious code.

"Cenzic's CIA [Cenzic Intelligent Analysis] Research Lab notified Yahoo on May 23," Mandeep Khera, Cenzic's vice president,

After investigating and confirming that it's a serious vulnerability, the Yahoo team jumped on it pretty quickly and fixed the vulnerability by June 13.

Cenzic allowed extra time to make sure that Yahoo updated all its servers including the partner servers before announcing it publicly."

Yahoo spokesperson Kelley Podboy confirmed to that there was in fact an XSS issue reported by Cenzic and that the issue has been resolved. Yahoo was not aware of the issue prior to it being reported by Cenzic.

"In this case Cenzic acted responsibly by reporting the issue directly to Yahoo! so that we could quickly resolve it," Podboy said.

According to Yahoo, there were not any users who were affected or negatively impacted by the XSS issue.

Cenzic's Khera, however, added a grain of salt to the questions of whether or not any Yahoo mail users were affected by the XSS vulnerability.

"We are not aware of any attacks around this issue in the wild out there," Khera said. "However, with a quarter of a billion Yahoo Mail users, it's probable that this vulnerability was exploited against some users. Hackers are getting much smarter and don't necessarily announce their conquests," Khere said. "By keeping it hidden, they can continue to exploit the vulnerabilities for a long time."

The actual XSS vulnerability actually involves both Yahoo Mail and Yahoo Messenger, which are now both integrated in the online application. According to Cenzic's description of the XSS vulnerability, while chatting, an attacker could have changed their status to 'invisible' which would trigger an 'offline' message in the users chat tab.

"The vulnerability occurred when the attacker then changed status, and sent a custom message containing a malicious string in the form of a status message of "online," with the script executed in the context of Yahoo Mail on the victim's machine," Cenzic noted in its advisory.

"This allowed an attacker to get active access to the victim's session ID, and in turn steal their Yahoo identity, exposing sensitive personal information stored in their Yahoo account."

This isn't the first time Cenzic has identified a XSS vulnerability in a Webmail application.

Last year Cenzic reported an XSS issue with Google's Gmail service, which also was quickly resolved.

"This is different from the ones we reported before at a specific level," Khera explained. "The common variable is that this is also XSS. Based on our data, XSS continues to be a major vulnerability that's easily exploitable in Web applications. Other ones that we are seeing are SQL Injection, CSRF, and Session Management types of vulnerabilities."

TAGS: security,Yahoo,XSS,Cenzic

Security News Solutions

Comment and Contribute

    (Maximum characters: 1200). You have 1200 characters left.



    Security News| Contact Sean Michael Kerner | Back to top

    Click the Join button below to sign up to our newsletter!