Home / News & Blogs

Yahoo fixes Web mail security flaw

Joris Evers | October 22, 2005 12:19 AM PDT

Summary

The flaw, now fixed, opened the door to phishing scams, account hijacks and other attacks, but Yahoo said no user attacks were reported.

Topics

Joris Evers
Yahoo has fixed a security flaw in its free Web-based e-mail service that opened the door to phishing scams, account hijacks and other attacks.

The flaw, known as a cross-site scripting vulnerability, existed because Yahoo's Web site did not detect certain script tags in combination with certain special characters, according to SEC Consult, which issued an advisory on the flaw Friday.

Cross-site scripting flaws are found regularly, including recently in Google's Web site and earlier this year in Microsoft's Xbox 360 site.

Flaws have also been found on Yahoo's site. An attacker could exploit this type of flaw to hijack user accounts, launch information-stealing phishing scams or even download malicious code onto users' computers, experts have said.

A Yahoo representative said it fixed the most recent flaws in the "last few weeks" and that its users are protected.

"Yahoo recently learned of an issue in Yahoo Mail and worked immediately to begin rollout of a server-side fix which does not require users to take any action," said Karen Mahon, a Yahoo spokeswoman. "We are unaware of any users who were impacted by this issue."

Talkback - Tell Us What You Think

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity