Yahoo Mail Hit by Scripting Vulnerability
Fleeing employees and irate shareholders aren't the only things that Yahoo is worrying about these days.The embattled search portal is also fighting the good fight against security vulnerabilities.
Yahoo has admitted that its Yahoo Mail online e-mail service was at risk from a Cross Site Scripting (XSS) vulnerability.
XSS flaws are among the most common and risky type of vulnerability in Web-based applications potentially allowing attackers to steal users' information or infect them with malicious code.
"Cenzic's CIA [Cenzic Intelligent Analysis] Research Lab notified Yahoo on May 23," Mandeep Khera, Cenzic's vice president, toldInternetNews.com.
Digg
del.icio.us
Newsvine
Facebook
Google
LinkedIn
MySpace
Reddit
Slashdot
StumbleUpon
Technorati
Twitter
Windows Live
YahooBuzz
FriendFeedAfter investigating and confirming that it's a serious vulnerability, the Yahoo team jumped on it pretty quickly and fixed the vulnerability by June 13.
Cenzic allowed extra time to make sure that Yahoo updated all its servers including the partner servers before announcing it publicly."
Yahoo spokesperson Kelley Podboy confirmed to InternetNews.com that there was in fact an XSS issue reported by Cenzic and that the issue has been resolved. Yahoo was not aware of the issue prior to it being reported by Cenzic.
"In this case Cenzic acted responsibly by reporting the issue directly to Yahoo! so that we could quickly resolve it," Podboy said.
According to Yahoo, there were not any users who were affected or negatively impacted by the XSS issue.
Cenzic's Khera, however, added a grain of salt to the questions of whether or not any Yahoo mail users were affected by the XSS vulnerability.
"We are not aware of any attacks around this issue in the wild out there," Khera said. "However, with a quarter of a billion Yahoo Mail users, it's probable that this vulnerability was exploited against some users. Hackers are getting much smarter and don't necessarily announce their conquests," Khere said. "By keeping it hidden, they can continue to exploit the vulnerabilities for a long time."
The actual XSS vulnerability actually involves both Yahoo Mail and Yahoo Messenger, which are now both integrated in the online application. According to Cenzic's description of the XSS vulnerability, while chatting, an attacker could have changed their status to 'invisible' which would trigger an 'offline' message in the users chat tab.
This article was first published on InternetNews.com. To read the full article, click here.
