|
10.24.05
Yahoo Deletes Cross-Scripting Email Problem
 By David Utter
A security flaw present in Yahoo's widely used web-based email service was discovered
and corrected recently.
In combination with Microsoft Internet Explorer 6, a flaw in Yahoo's webmail could
have exposed users to phishing attacks and other problems. The security firm SEC-Consult
found the problem
and disclosed it on Friday.
Yahoo responded quickly to fix the problem. The webmail did not correctly filter
out script tags containing particular special characters. Conditions resulting
from an attack could have resulted in the theft of cookies from a visitor's computer,
left it open to further phishing attacks, or placed malware on the PC.
Silicon.com published comments from a Yahoo spokesperson on the issue: "Yahoo!
recently learned of an issue in Yahoo! Mail and worked immediately to begin rollout
of a server-side fix which does not require users to take any action. We are unaware
of any users who were impacted by this issue."
Google recently had to fix
two similar issues on its site. A pair of subdomains contained forms that
did not do data validation or filtering, presenting the same cross-site problems
Yahoo faced.
About the Author:
David Utter is a staff writer for WebProNews covering technology and business. |
|
