Slashdot Mirror

← Back to Stories (view on slashdot.org)

Yahoo! XSS Flaw Endangers its Users

Posted by CowboyNeal on from the ever-vigilant dept.

Rarely Greys writes "A major Yahoo XSS flaw makes it possible to take over any Yahoo user's account, including their mail, instant messaging, photos, etc. This is not a rare occurrence. So why aren't web sites doing more to protect their users? It's looking like most web developers don't even know or care about XSS."

6 of 157 comments (clear)

  1. I fail to see how is this related to XSS by wumpus188 · · Score: 3, Interesting

    And, if I'm reading his code right, to get this to work one must have 'third party cookies' allowed in the browser... Most sane browsers have this OFF by default.

    1. Re:I fail to see how is this related to XSS by Anonymous Coward · · Score: 3, Interesting

      Hm.

      Posted anonymously because god knows what kind of flames I'd get if people knew I worked for an Internet advertising company that uses third-party cookies.

      IE6 has third-party cookies on by default, as does IE7, as does Firefox 2. The only "major" (not major in marketshare, but in mindshare) browser that has third-party cookies disabled by default is Safari at the moment.

      On the other hand, don't believe the scare tactics that say that third-party cookies are "spyware" or some horrible conspiracy against you. They're not. They're only used to target ads... if you go to a lot of sites like BestBuy.com and not BettyCrocker.com, you'll be more likely to receive ads about tech products. That's all there is to it. Third-party cookies are harmless. (We've actually had to disappoint Apple because their own browser didn't support what they wanted to do! Hah.)

      In addition, this exploit has nothing to do with third-party cookies. It uses first-party cookies, then spoofs a new session using the cookies recorded from another session. At least as far as I'm reading it... maybe I have the details wrong.

  2. Not necessarily that they don't try. by Fireflymantis · · Score: 5, Interesting

    As a web developer myself, I try dillagently to kill off any XSS attacks by writing good secure code, but there will always be a few corner cases in any non-trivial application that one does not count for. This is doubly so when dealing with web services that have to pump out huge amounts of data over an insecure medium.

    What is most showing is how fast it will be till Yahoo fixes this vunerability as a sign of their metal.

    imho...

  3. Re:Why web developers don't care about XSS by Anonymous Coward · · Score: 1, Interesting

    Zope 3. Seriously. Full unicode, everything is security proxied, content is fully protected per attribute per user per permission, even if you made a page which tried to show non-accessible data, it wouldn't let you. All form data, user input, URLs, etc are escaped automatically. Oh for user-input use some text markup which gets converted to HTML. Users dont need to write javascript on their blog directly.

    Yes it has a steep learning curve. But once you get it going, you will laugh at PHP/ASP and similar solutions. It is so far ahead it is not even funny.

  4. Re:SIMPLE SOLUTION by AKAImBatman · · Score: 2, Interesting

    To get rid of XSS you need to get rid of the injection agent. Which is HTML. Period

    You're as bad as the commenter. HTML doesn't fall into this particular problem at all. The problem is with the HTTP protocol and how it gets abused. Specifically, the article is talking about Yahoo using url rewriting to store the session id rather than a session cookie. Since the session is attached to the token in the URL, an attacker would have no problem getting access to your account from the referring URL.

    This attack exists regardless of if you're using HTML or some other hyperlinked document. As long as the browser passes the referring URL, you're screwed. Which in the end is Yahoo's fault for forcing url rewriting.

    That being said, this *cough* advisory is on a blog called "Net Cooties" that places Paris Hilton behind "penis-painted bars". I'm not sure how far I trust the information they're handing out.
    --
    Javascript + Nintendo DSi = DSiCade
  5. Bottom line: Developers don't care by MobyDisk · · Score: 2, Interesting

    It's looking like most web developers don't even know or care about XSS I think the summary was trolling, but even so they got it dead on.

    I've worked on several web projects over the years, and I've never met a single developer who even knew or cared about XSS. In all of those projects none of them, other than myself, bothered to even escape strings when sending out to HTML. In some cases, they will go out of their way to _not_ escape them. Like in ASP.NET, using HTML literal controls (which don't escape HTML content) instead of using text controls (which do). The reasoning was that the .000001% optimization it provides is more important than the risk of a security problem.