Slashdot Mirror

← Back to Stories (view on slashdot.org)

Yahoo Fixes Bug That Could Compromise Email Accounts When Opening an Email (klikki.fi)

Posted by Soulskill on from the monthly-major-xss-vulnerability dept.

An anonymous reader writes: Yahoo! has fixed a cross-site scripting bug that would have allowed attackers to fully compromise email accounts just by sending a malicious email. To lose control over their accounts, victims needed only to open the email. The researcher who discovered the bug said, "The code would be automatically evaluated when the message was viewed. ... We provided Yahoo with a proof of concept email that would forward the victim user's inbox to an external website, and an email virus which infects the Yahoo Mail account and attaches itself to all outgoing emails. The bug was fixed before any known exploits 'in the wild.'" Yahoo!'s bounty program awarded $10,000 for the research.

4 of 37 comments (clear)

  1. Re:Why bother? by phishybongwaters · · Score: 5, Insightful

    Because not all of the skilled and talented people out there are asshats willing to sell out security to make a quick buck?

  2. Re:Does anyone still use Yahoo email? by gstoddart · · Score: 2

    I have one because of my ISP. I know people who have had their Yahoo address so long they keep it out of sheer inertia.

    To me this comes down to the fundamental problem: why the hell do we keep trusting websites to run arbitrary scripts? And why the hell do we trust 3rd party scripts in web pages?

    So some greedy bastard can give you an ad?

    The average Yahoo user likely doesn't use script blockers, and isn't going to start out blocking them only to whitelist what they want.

    I can barely convince my wife to keep using the script blocker I've put into her Chrome to block all this shit.

    At this point, the entire web has been written on the moronic assumption that people should just let everything run, which leads to stuff like this.

    What we need to do is look at this stuff, and remove the default trust ... and what the ad and analytics companies want be damned. They're as much part of the problem as anything, and as often as not they end up serving up the malware in the first place.

    Yes, Yahoo has some stuff they need to fix ... but I don't see this as being any more vulnerable than what your average web page expects you to do.

    --
    Lost at C:>. Found at C.
  3. Re:Amount of people by campuscodi · · Score: 2

    Yahoo says they still have 300 million.

  4. Re:Amount of people by Penguinisto · · Score: 2

    Prolly counting the spam-trap and inactive email accounts that folks have 'ginned up since it opened...

    --
    Quo usque tandem abutere, Nimbus, patientia nostra?