Login

Please login to Techworld.com

Forgot password?
Need your new account confirmation email resent?
Forgot email?

Not a member yet?

Register for a Techworld Account and enjoy unlimited access to our extensive white paper library and exclusive Enterprise multi-user software trials. Account members can also comment on articles and access best practices guides.

Security

Top How-Tos / Advice articles

Yahoo plugs hole in web mail

Account access denied.

By Juan Carlos Perez, IDG News Service | Published: 09:36, 17 August 2006

Yahoo has fixed a hole in its online email service that could have allowed hackers to gain access to accounts.

"We have developed a fix for this bug and deployed it worldwide," a company spokeswoman explained. The vulnerability itself was discovered by Israeli security company Avnet earlier this month and involves how Yahoo Mail handles attachments.

By creating an HTML attachment with different encoding schemes, one could have bypassed Yahoo Mail's security filter and executed malicious JavaScript code.

The exploit was such that the recipient only had to open the email without having to open the attachment itself. As a result, it was possible to steal an individual's Yahoo Mail cookie, hijack the session and gain access to the person's in-box.

"This attack vector could be used to launch a variety of other more sophisticated attacks," wrote Roni Bachar from Avnet. These could include unleashing worms, installing keylogger programs, phishing and scanning ports on the PC.

After identifying the vulnerability, Bachar and co-founder Nir Goldshlager immediately alerted Yahoo, so that the vendor could patch its system. Bachar isn't aware of any known exploits of the vulnerability.

Send to a friend

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.