- Related Stories
-
Google fixes Web site security bug
October 10, 2005 -
Microsoft plugs phishing hole in Xbox site
May 25, 2005 -
Yahoo fixes two flaws in mail system
August 19, 2004
The flaw, known as a cross-site scripting vulnerability, existed because Yahoo's Web site did not detect certain script tags in combination with certain special characters, according to SEC Consult, which issued an advisory on the flaw Friday.
Cross-site scripting flaws are found regularly, including recently in Google's Web site and earlier this year in Microsoft's Xbox 360 site.
Flaws have also been found on Yahoo's site. An attacker could exploit this type of flaw to hijack user accounts, launch information-stealing phishing scams or even download malicious code onto users' computers, experts have said.
A Yahoo representative said it fixed the most recent flaws in the "last few weeks" and that its users are protected.
"Yahoo recently learned of an issue in Yahoo Mail and worked immediately to begin rollout of a server-side fix which does not require users to take any action," said Karen Mahon, a Yahoo spokeswoman. "We are unaware of any users who were impacted by this issue."
See more CNET content tagged:
flaw, security flaw, Yahoo! Inc., phishing, XSS




__________________________________
R.K.
http://www.Remove-All-Spyware.com/
__________________________________
R.K.
http://www.Remove-All-Spyware.com/
The biggest security issue for Yahoo Mail was discovered by me and reported to Yahoo and the security community. This involved using Yahoo's own mail to friend servers to bombard Yahoo's entire mail networks. Both corporate and consumer side I believe. This allowed an attacker to Create a DDoS situation where mail servers would slowed to a crawl, if not outages. This is because the mail to friend servers allowed for a loop. This allowed a malicious user to send messages out from Yahoo's own production servers. Because this was Yahoo's own mail to friend servers, Yahoo's anti-spam technology treated all messages as "trusted". Therefore, all messages to straight to the Yahoo Mail inbox, than the bulk folder. Apart from this obvious disruption, because all mail was going to the inbox, Yahoo Messenger users would be bombarded with multiple new mail alert dialog boxes. This was a mutli attack, which would have brought wide spread disruption to Yahoo Messenger and Yahoo Mail users.
Part 2====
I believe I discovered the first XSS for Google, way before the article CNET have recently reported on. I discovered a XXS in Google Groups last December 2004. This was reported to Full-Disclosure mailing list and Google's security team. The vulnerability was reported on the Friday to the security community and patched by Google by Sunday night.
Part 3====
It would be great if you could start acknowledging people where credit is due. The real security research for Yahoo and Google is going on by people like me, not the folks coming from these security companies. I am bored with online media outlets only reporting on something if its discovered by "professional security" companies.
All the above can be verfied using a search engine or by contacting Google and Yahoo security teams. I continue to work in the underground to find unique ways to compromise security, that haven't been previously thought of. The guys at these security companies aren't finding flaws, which aren't based on known methods. I, however believe I am going beyond that. See described Y mail vulnerability and the way I used Yahoo to attack Yahoo, rather than attacking from external machines. Yahoo is still vulnerable on attacks using its own production servers. However, the YMail YMessenger hack described was patched!
The biggest security issue for Yahoo Mail was discovered by me and reported to Yahoo and the security community. This involved using Yahoo's own mail to friend servers to bombard Yahoo's entire mail networks. Both corporate and consumer side I believe. This allowed an attacker to Create a DDoS situation where mail servers would slowed to a crawl, if not outages. This is because the mail to friend servers allowed for a loop. This allowed a malicious user to send messages out from Yahoo's own production servers. Because this was Yahoo's own mail to friend servers, Yahoo's anti-spam technology treated all messages as "trusted". Therefore, all messages to straight to the Yahoo Mail inbox, than the bulk folder. Apart from this obvious disruption, because all mail was going to the inbox, Yahoo Messenger users would be bombarded with multiple new mail alert dialog boxes. This was a mutli attack, which would have brought wide spread disruption to Yahoo Messenger and Yahoo Mail users.
Part 2====
I believe I discovered the first XSS for Google, way before the article CNET have recently reported on. I discovered a XXS in Google Groups last December 2004. This was reported to Full-Disclosure mailing list and Google's security team. The vulnerability was reported on the Friday to the security community and patched by Google by Sunday night.
Part 3====
It would be great if you could start acknowledging people where credit is due. The real security research for Yahoo and Google is going on by people like me, not the folks coming from these security companies. I am bored with online media outlets only reporting on something if its discovered by "professional security" companies.
All the above can be verfied using a search engine or by contacting Google and Yahoo security teams. I continue to work in the underground to find unique ways to compromise security, that haven't been previously thought of. The guys at these security companies aren't finding flaws, which aren't based on known methods. I, however believe I am going beyond that. See described Y mail vulnerability and the way I used Yahoo to attack Yahoo, rather than attacking from external machines. Yahoo is still vulnerable on attacks using its own production servers. However, the YMail YMessenger hack described was patched!
They have some flaws, I hope they get them taken care of soon & it is not just about security, but about the lack of comunication, etc.......:
However, here is what has happened to me:
They usually send me a double does of e-mail.
And just recently, I found out that I was bouncing, with some groups that I no-longer belong to. I was bouncing in June & I found out about it in October(?), what gives? There were no-evidence of this prior to correct it & by the time that I was told about it, I no-longer belonged to those groups.
My groups that I've tried to upload pictures to: some will upload, while others do not.
I've filled out a request of sorts for help & I
get this automated letter after you fill out your complaint & you feel like you are comunicating with a wall, where there is no-human on the other side.
I'm sure that I can find other things to complain about. I had something on my mind & right now I'm just an Artist_Drawing_Blanks: LOL
Anyway's, how can I get some real help? Does anyone know.
Cyndi
- Yahoo
- by Kreative4Jesus October 23, 2005 11:46 AM PDT
- I like Yahoo & they have some benneficial Groups, of which I am an owner of & of some I just belong to them.
- Reply to this comment
-
(22 Comments)They have some flaws, I hope they get them taken care of soon & it is not just about security, but about the lack of comunication, etc.......:
However, here is what has happened to me:
They usually send me a double does of e-mail.
And just recently, I found out that I was bouncing, with some groups that I no-longer belong to. I was bouncing in June & I found out about it in October(?), what gives? There were no-evidence of this prior to correct it & by the time that I was told about it, I no-longer belonged to those groups.
My groups that I've tried to upload pictures to: some will upload, while others do not.
I've filled out a request of sorts for help & I
get this automated letter after you fill out your complaint & you feel like you are comunicating with a wall, where there is no-human on the other side.
I'm sure that I can find other things to complain about. I had something on my mind & right now I'm just an Artist_Drawing_Blanks: LOL
Anyway's, how can I get some real help? Does anyone know.
Cyndi