Researchers at Cenzic discovered a vulnerability in Yahoo Mail they said could allow attackers to steal Yahoo identities and potentially access users’ sensitive information.
The company, a Web application security provider based in Santa Clara, Calif., notified Yahoo of the cross-site scripting flaw in its popular Web mail program on May 23 and Yahoo fixed it June 13.
The vulnerability requires the attacker use Yahoo Messenger desktop application version 8.1.0.209 to chat with someone using the Messenger support in the latest version of Yahoo Mail. An attacker can make their chat status “invisible” and craft a malicious message; when he returns to the chat and the user clicks on the message, the malicious scripting is executed, said Mandeep Khera, Cenzic vice president of marketing.
The vulnerability could allow an attacker to access a Yahoo Mail user’s session ID and steal their Yahoo identity, which could expose sensitive information stored in their Yahoo account, according to Cenzic.
Cenzic researchers hadn’t heard of any actual attacks exploiting the vulnerability but Khera said he wouldn’t be surprised if attackers had figured it out and were keeping it quiet. Attackers prefer to quietly exploit vulnerabilities for financial gain, he said.
Trackback URL for this post:
Remmrit.com user has just tagged your post as yahoomail!
