Yahoo email patch ineffective, security researchers say
Yahoo fixed an XSS flaw in its email application earlier this week but it apparently doesn't repair the problem
IDG News Service - Security researchers say a patch released by Yahoo earlier this week for a serious email vulnerability did not fix the problem, leaving users at risk.
The cross-site scripting flaw was found by Shahin Ramezany, who goes by the nickname "Abysssec." The vulnerability can allow an attacker to harvest a victim's cookie for their Yahoo account if the victim is successfully tricked into clicking on a malicious link.
The vulnerability was patched by Yahoo on Monday, but penetration testing company Offensive Security and Ramezany say that the patch did not fix the problem.
"With little modification to the original proof-of-concept code written by Abysssec, it is still possible to exploit the original Yahoo vulnerability, allowing an attacker to completely take over a victim's account," Offensive Security wrote on its blog.
A Yahoo spokeswoman did not have an immediate comment when contacted Wednesday.
Offensive Security hosted a video showing how the attack works but left out details that might allow attackers to replicate it. The company said XSS filters provide little defense against an attack and warned that people should be wary of clicking on links within emails until Yahoo fixes the vulnerability.
Send news tips and comments to email@example.com. Follow me on Twitter: @jeremy_kirk
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts