Vulnerability Description
If the attacker is using the Yahoo! Messenger desktop application 8.1.0.209 to chat with the victim, and the victim is using the Messenger support in the new Yahoo! Mail Web application, it will cause a new chat tab to open in the victim’s browser. While chatting, the attacker can change their status to “invisible,” causing a message of “offline” in the chat tab of the victim. The vulnerability occurred when the attacker then changed status, and sent a custom message containing a malicious string in the form of a status message of “online,” with the script executed in the context of Yahoo! Mail on the victim’s machine. This allowed an attacker to get active access to the victim’s session ID, and in turn steal their Yahoo! identity, exposing sensitive personal information stored in their Yahoo! account.
http://www.computerw...ticleId=9103859
http://easypr.market...easejsp=release
Sponsored by: â–ˆ Sparkhost - Hosting Without Compromises! â–ˆ Hybrid Performance Web Hosting â–ˆ Spark Host Stream Hosting â–ˆ Hybrid IRC & IRCd Server Shell Accounts
Yahoo Mail Cross-Site-Scripting vulnerability
Started by
illwill
, Jun 26 2008 08:29 PM
No replies to this topic
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
