[Full-disclosure] [Argeniss] Alert - Yahoo! Webmail XSS
rg.viza at gmail.com
Tue Apr 18 23:53:22 BST 2006
whether any of us, people who read full disclosure, and may even be
security researchers, would fall for a yahoo phish, or need to log
into yahoo, is irrelevant. The fact is that yahoo mail is vulnerable
to XSS, and less savvy users could be exploited.
Yahoo, along with all websites that accept user input, should filter
their input... it's the right thing to do, since it increases security
and prevents users from being exploited with XSS.
Depending on the user to not allow himself to be exploited is how bad
security habits are born.
If you are like me and are constantly deleting cookies (using the
mozilla extension "clear data", because I test a lot and this requires
me to delete cookies a lot) you'd have to log in every time you use
Yahoo is vulnerable to XSS attacks, so they should fix their site, period.
On 4/18/06, Morning Wood <se_cur_ity at hotmail.com> wrote:
> > Yahoo! Mail once in a while will ask you
> > to re login again so it's not so anormal.
> I use Yahoo Mail, I have never once had to re-login in 4 years.
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Full-Disclosure is hosted and sponsored by Secunia.