Yahoo has fixed a vulnerability in its Web mail site that could allow a hacker to get access to a person's account.

The problem was in the way Yahoo's Web mail interacts with version 8.1.0.209
of its instant messaging (IM) desktop application, according to Web application
security company Cenzic.

Cenzic notified Yahoo of the problem in May, and the company fixed it on June
13.

If a hacker using the IM application starts chatting with a victim who is using
the IM function of Yahoo's Web e-mail, a new chat tab is opened in the victim's
Web browser. The attacker can then manipulate his presence status message to
send a malicious script via IM. That script would then be executed in the context
of Yahoo's e-mail service on the person's PC.

The script can reveal the victim's session ID to the attacker, who can then
get access to information stored in that account, Cenzic said.

Cenzic classified the vulnerability as a cross-site scripting flaw, where scripts
or commands from one Web application that shouldn't run in another are successfully
executed. Security experts contend that cross-site scripting vulnerabilities
are rampant on Web sites, posing dangerous risks to Web users.

Once in control of the account, the hacker could send spam. Yahoo and other
free e-mail providers such as Microsoft have seen increasing use of their services
for spam.

That's in part because the CAPTCHA (Completely Automated Public Turing test
to tell Computers and Humans Apart) security feature, which requires users to
decode a jumble of distorted characters, has been increasingly defeated by machine-based
processing.

The vulnerability would also allow access to a person's IM contacts. The hacker
can then send instant messages purporting to be from a legitimate contact but
with links leading to sites that try and exploit vulnerabilities in a person's
Web browser or operating system.

IDG News Service

• Email
• Print
• Share
  • Slashdot
  • Digg
  • Stumble
  • Reddit
  • Newsvine