Slashdot Mirror

← Back to Stories (view on slashdot.org)

Yahoo! XSS Flaw Endangers its Users

Posted by CowboyNeal on from the ever-vigilant dept.

Rarely Greys writes "A major Yahoo XSS flaw makes it possible to take over any Yahoo user's account, including their mail, instant messaging, photos, etc. This is not a rare occurrence. So why aren't web sites doing more to protect their users? It's looking like most web developers don't even know or care about XSS."

3 of 157 comments (clear)

  1. I fail to see how is this related to XSS by wumpus188 · · Score: 3, Interesting

    And, if I'm reading his code right, to get this to work one must have 'third party cookies' allowed in the browser... Most sane browsers have this OFF by default.

    1. Re:I fail to see how is this related to XSS by Anonymous Coward · · Score: 3, Interesting

      Hm.

      Posted anonymously because god knows what kind of flames I'd get if people knew I worked for an Internet advertising company that uses third-party cookies.

      IE6 has third-party cookies on by default, as does IE7, as does Firefox 2. The only "major" (not major in marketshare, but in mindshare) browser that has third-party cookies disabled by default is Safari at the moment.

      On the other hand, don't believe the scare tactics that say that third-party cookies are "spyware" or some horrible conspiracy against you. They're not. They're only used to target ads... if you go to a lot of sites like BestBuy.com and not BettyCrocker.com, you'll be more likely to receive ads about tech products. That's all there is to it. Third-party cookies are harmless. (We've actually had to disappoint Apple because their own browser didn't support what they wanted to do! Hah.)

      In addition, this exploit has nothing to do with third-party cookies. It uses first-party cookies, then spoofs a new session using the cookies recorded from another session. At least as far as I'm reading it... maybe I have the details wrong.

  2. Not necessarily that they don't try. by Fireflymantis · · Score: 5, Interesting

    As a web developer myself, I try dillagently to kill off any XSS attacks by writing good secure code, but there will always be a few corner cases in any non-trivial application that one does not count for. This is doubly so when dealing with web services that have to pump out huge amounts of data over an insecure medium.

    What is most showing is how fast it will be till Yahoo fixes this vunerability as a sign of their metal.

    imho...