"Lax" Crossdomain Policy Puts Yahoo Mail At Risk

msm1267 writes A researcher disclosed a problem with a loose cross-domain policy for Flash requests on Yahoo Mail that put email message content, contact information and much more at risk. The researcher said the weakness is relatively simple to exploit and puts users at high risk for data loss, identity theft, and more. Yahoo has patched one issue related to a specific .swf file hosted on Yahoo's content delivery network that contained a vulnerability that could give an attacker complete control over Yahoo Mail accounts cross origin. While the patch fixed this specific issue, the larger overall configuration issue remains, meaning that other vulnerable .swf files hosted outside the Yahoo CDN and on another Yahoo subdomain could be manipulated the same way.

Silly me

[EzInKy]

I thought Flash was so nearly dead now that all that was left was pronouncement by two qualified physicians. I seriously find it hard to believe that a modern firm like Yahoo would even support it at this point.

Re:Silly me

[popo]

Nearly dead? You're talking about the most popular multimedia platform in the world. Yes, Flash sucks. I'll be the first to agree. And as much as anyone, I'd like to see HTML5 kick ass. But it's still lacking in several departments which prevent it from being widely adopted by online game developers. (Good clock / framerate control, a stellar IDE and code protection not being the least of them).

I've used several HTML5 IDE's and they blow. Coding is still fraught with browser issues and quirks. Speed is iffy at best for many important libraries. 3D transforms for example ... Don't get me started.

Relatively few developers are writing hit games in HTML5 yet. (Please note the term "relatively") Not that writing great HTML5 games can't be done. It absolutely can be done. (Save yourself the effort of cherry-picking the latest demo of what HTML5 can do. I know. I've written a few). But "potential" is not the issue. Kingdom Rush, for example is written in Flash. Not HTML5. The devs at Ironhide aren't clueless. They chose Flash for a reason, Kongregate also has Unity games and HTML5 games -- but what percent are those? Why? Because they're all dumb? No. It's because AS3 is standard across platforms, extensible and blazing fast.

HTML5 fans are absolutely on the right track (I count myself as an HTML5 fan), but IMHO most are wholly delusional about how close they are to victory, and about just how "dead" Flash really is. Slashdotters and other people "in the know" know that Flash's days are numbered. But out there in Internet-land, *hundreds of millions* of users use Flash every day. That doesn't count as "dead" by any definition. And the Flash development community is still growing,

Re:Silly me

[Chris+Mattern]

Most Slashdotters think Flash is dead because Steve Jobs said it was.

Ironically, now Flash is still alive while Steve Jobs is dead.

Re:What did I not say just the other day?

I love how I get proven right in the face of idiots with mod points.

Except...you didn't. Yahoo's email got screwed by *YAHOO'S* CDN, which is run by Yahoo on a yahoo.com domain. Their problem is that they failed to pass the buck to someone who could actually manage their content securely. You claimed that a CDN allows others to infect the shared CDN content which then would infect those people that used them. Here, the problem was that Yahoo Mail decided to trust everything with a yahoo.com domain or sub-domain, and a different part of Yahoo made an SWF file that allowed privilege escalation.

If Yahoo had used a proper CDN with a different domain like akamai.net, then they wouldn't have had this particular problem. That'll teach them to follow your advice. The worst part is that you read this as you being right when actually reading what happened shows that you had things completely backwards.