|
| Assata Shakur Main | Forum Portal | Arcade | Links/Downloads | TTDC Search | RBG Tube | Warrior Chat | Store | Free Email | Donate | News |
| ||||||||
| P C Tech Advice & Technology Post your PC related problems, share info related to the internet, test your avatars or images here. |
 |
| | LinkBack | Thread Tools | Display Modes |
06-25-2008
| |||||
| |||||
 Yahoo fixes e-mail cross-site scripting flaw Yahoo fixes e-mail cross-site scripting flaw Problem with the way Yahoo's Web mail interacted with its IM application could allow a hacker to get access to a person's account By Jeremy Kirk, IDG News Service June 25, 2008 Yahoo has fixed a vulnerability in its Web mail site that could allow a hacker to get access to a person's account. The problem was in the way Yahoo's Web mail interacts with version 8.1.0.209 of its instant messaging (IM) desktop application, according to Web application security company Cenzic. Cenzic notified Yahoo of the problem in May. If a hacker using the IM application starts chatting with a victim who is using the IM function of Yahoo's Web e-mail, a new chat tab is opened in the victim's Web browser. The attacker can then manipulate his presence status message to send a malicious script via IM. That script would then be executed in the context of Yahoo's e-mail service on the person's PC. The script can reveal the victim's session ID to the attacker, who can then get access to information stored in that account, Cenzic said. Cenzic classified the vulnerability as a cross-site scripting flaw, where scripts or commands from one Web application that shouldn't run in another are successfully executed. Security experts contend that cross-site scripting vulnerabilities are rampant on Web sites, posing dangerous risks to Web users. Once in control of the account, the hacker could send spam. Yahoo and other free e-mail providers such as Microsoft have seen increasing use of their services for spam. That's in part because the CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) security feature, which requires users to decode a jumble of distorted characters, has been increasingly defeated by machine-based processing. The vulnerability would also allow access to a person's IM contacts. The hacker can then send instant messages purporting to be from a legitimate contact but with links leading to sites that try and exploit vulnerabilities in a person's Web browser or operating system. Yahoo fixes e-mail cross-site scripting flaw | IDGNS | News | June 25, 2008 | By Jeremy Kirk, IDG News Service
__________________ Posted In The Spirit of Learning & Sharing One Love & Respect Always *************************************** The Quest for knowledge stops at the grave. HIM Emperor Haile Selassie I. If you fail to prepare, you are preparing to fail! Mind what you want, because someone wants your mind. Working together, the ants ate the elephant.   |
|
Lower Navigation
| ||||||
| ||||||
| Bookmarks |
| Tags |
| crosssite, email, fixes, flaw, scripting, yahoo |
| Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
| Thread Tools | |
| Display Modes | |
| |
|
Similar Threads | ||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Patches keep coming as Apple fixes OS X security bugs | Jahness | P C Tech Advice & Technology | 0 | 02-12-2008 02:18 AM |
| Massive Java Update Includes Security Fixes | Jahness | P C Tech Advice & Technology | 0 | 01-24-2008 02:48 AM |
| Yahoo says e-mail worm now contained | Jahness | P C Tech Advice & Technology | 2 | 06-16-2006 01:49 AM |
| Yahoo Ordered to Share Reporter's E-Mail | Jahness | P C Tech Advice & Technology | 0 | 09-10-2005 11:57 AM |
| T-mail will replace e-mail, says Philip Emeagwali | Jacuma | P C Tech Advice & Technology | 7 | 03-20-2005 12:06 AM |
| New To Site? | Need Help? |
Jahness
Linear Mode
