Network Security: Detailed info on XSS on Yahoo Mail

Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.

Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.

Network Security Vuln-Dev

[Top] [All Lists]

XSS on Yahoo Mail

from [Richard Fuchshuber] Network Security

[Permanent Link]

Subject:	XSS on Yahoo Mail
Date:	Wed, 23 Nov 2005 14:44:34 -0300 (ART)


  Hi,

I've noticed a strange behavior in "Yahoo! Mail" when dealing with html
attachments. It's possible to insert data into the "Yahoo! Mail" html
interface.

For example, with the following code in an html attachment it's possible
to insert "Your profile is out of date, please update clicking here" above
the button "Check Mail".

<?
<TABLE border="1" cellspacing="1" cellpadding="0">
<TR>Your profile is out of date, please update <a
href="www.blabla.com">clicking here.</a></TR>
</TABLE>

I think this could be used in phishing scam.

For a screenshot, see [1]. The circulated text was inserted into interface
of the "Yahoo!  Mail" through an email  with the above code  as an html
attachment.

I tried to contact "Yahoo!" several times, without success.


[1] - http://richard.computeiro.com/yahoo_bug.jpg





        



        
                
_______________________________________________________ 
Yahoo! Acesso Grátis: Internet rápida e grátis. 
Instale o discador agora!
http://br.acesso.yahoo.com/

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
XSS on Yahoo Mail, Richard Fuchshuber <= RE: XSS on Yahoo Mail, Will Wesley Re: XSS on Yahoo Mail, Steven Champeon Re: XSS on Yahoo Mail, Will Wesley Re: XSS on Yahoo Mail, Jim Ley RE: XSS on Yahoo Mail, Richard Fuchshuber Re: XSS on Yahoo Mail, Personal Account Re: XSS on Yahoo Mail, little . hacker Re: XSS on Yahoo Mail, Matan Peled Re: XSS on Yahoo Mail, alireza hassani Re: XSS on Yahoo Mail, Lance James

Previous by Date:	Google Talk Denial of Service - BenjiBug, James Evans
Next by Date:	MDKSA-2005:215 - Updated binutils packages fix vulnerabilities, Mandriva Security Team
Previous by Thread:	Google Talk Denial of Service - BenjiBug, James Evans
Next by Thread:	RE: XSS on Yahoo Mail, Will Wesley
Indexes:	[Date] [Thread] [Top] [All Lists]