"Lax" Crossdomain Policy Puts Yahoo Mail At Risk 50
msm1267 writes A researcher disclosed a problem with a loose cross-domain policy for Flash requests on Yahoo Mail that put email message content, contact information and much more at risk. The researcher said the weakness is relatively simple to exploit and puts users at high risk for data loss, identity theft, and more. Yahoo has patched one issue related to a specific .swf file hosted on Yahoo's content delivery network that contained a vulnerability that could give an attacker complete control over Yahoo Mail accounts cross origin. While the patch fixed this specific issue, the larger overall configuration issue remains, meaning that other vulnerable .swf files hosted outside the Yahoo CDN and on another Yahoo subdomain could be manipulated the same way.
Silly me (Score:3, Funny)
I thought Flash was so nearly dead now that all that was left was pronouncement by two qualified physicians. I seriously find it hard to believe that a modern firm like Yahoo would even support it at this point.
Re: (Score:2)
Re:Silly me (Score:4, Insightful)
Nearly dead? You're talking about the most popular multimedia platform in the world. Yes, Flash sucks. I'll be the first to agree. And as much as anyone, I'd like to see HTML5 kick ass. But it's still lacking in several departments which prevent it from being widely adopted by online game developers. (Good clock / framerate control, a stellar IDE and code protection not being the least of them).
I've used several HTML5 IDE's and they blow. Coding is still fraught with browser issues and quirks. Speed is iffy at best for many important libraries. 3D transforms for example ... Don't get me started.
Relatively few developers are writing hit games in HTML5 yet. (Please note the term "relatively") Not that writing great HTML5 games can't be done. It absolutely can be done. (Save yourself the effort of cherry-picking the latest demo of what HTML5 can do. I know. I've written a few). But "potential" is not the issue. Kingdom Rush, for example is written in Flash. Not HTML5. The devs at Ironhide aren't clueless. They chose Flash for a reason, Kongregate also has Unity games and HTML5 games -- but what percent are those? Why? Because they're all dumb? No. It's because AS3 is standard across platforms, extensible and blazing fast.
HTML5 fans are absolutely on the right track (I count myself as an HTML5 fan), but IMHO most are wholly delusional about how close they are to victory, and about just how "dead" Flash really is. Slashdotters and other people "in the know" know that Flash's days are numbered. But out there in Internet-land, *hundreds of millions* of users use Flash every day. That doesn't count as "dead" by any definition. And the Flash development community is still growing,
Re:Silly me (Score:4, Funny)
Ironically, now Flash is still alive while Steve Jobs is dead.
Re: (Score:1)
Flash is the A-10 "Warthog" of the Web. Everyone keeps calling it dead. And then it isn't.
Re: (Score:1)
Dude, Flash is dead! Get over it.
Re: (Score:2)
That's funny, because YouTube happily rolls over to HTML5 when you don't have Flash installed, and it works just fine.
As much as it pissed me off when Jobs said 'no Flash on the iPhone', it was a brilliant move at weaning the world from one of the least secure software packages in history. It's impossible to change the whole world at once, especially when Adobe is trying so desperately to cling to this albatross, but Adobe has never taken the responsibility for building a new, secure engine and eliminating
Re: (Score:2)
Because Flash still works on many old browsers. YouTube wants to serve as many people as they can, and want to avoid as many technical issues as they can. They know there are many people who got something working five or more years ago that haven't upgraded their browsers to anything that can display HTML5.
Re: (Score:3)
Are we defining "dead" as "widely used despite being a pathetic security hole", or are we sticking with the more traditional "nobody uses it any more".
Because if we're defining "dead" in the latter sense, as much as I wish you were right, I'd have to say you're probably wrong.
Re: (Score:3)
Flash is dead.
-- Emperor Ming.
Re: (Score:2)
Yahoo isn't particularly modern. They are in transition trying to be modern while being shackled to their legacy. They are about to lose me as a customer. The new versions of their mobile apps for Yahoo! Mail and Yahoo! Finance ask for way to many permissions. Next time I have to get a new phone and I can't have the old versions their apps are history and so is my account. Not good for them since I'm one of the hold outs that pays for POP mail access, which I'm glad to have so I can suck down all my mail to
What did I not say just the other day? (Score:1)
"Yahoo has patched one issue related to a specific .swf file hosted on Yahoo's content delivery network that contained a vulnerability that could give an attacker complete control over Yahoo Mail accounts cross origin."
As I stated here [slashdot.org] (and subsequently got modded troll for):
"Maybe people will start taking real responsibility for their sites and content. Passing the buck is lazy and irresponsible, especially in the case of advertising CDNs (and the subsequent malware infestations that spread as a result of
Re: (Score:1)
I care. You wouldn't have posted unless you care too. Fearing enough that he might be taken seriously that you'd field a ham-fisted attempt to discredit him is still a type of caring.
Re: (Score:1)
Its an obvious and simple problem that has plagued their services for a very long time, in one or another similar incarnation at least. I'm quite sure in fact that they are actively avoiding hiring anyone who looks like they are experienced enough to notice and seem willing to speak up about it.
Re: (Score:3, Insightful)
I love how I get proven right in the face of idiots with mod points.
Except...you didn't. Yahoo's email got screwed by *YAHOO'S* CDN, which is run by Yahoo on a yahoo.com domain. Their problem is that they failed to pass the buck to someone who could actually manage their content securely. You claimed that a CDN allows others to infect the shared CDN content which then would infect those people that used them. Here, the problem was that Yahoo Mail decided to trust everything with a yahoo.com domain or sub-domain, and a different part of Yahoo made an SWF file that allowe
Re: (Score:2)
"Except...you didn't."
You didn't bother reading the rest of the article, did you? It goes right on to cover how this affects OUTSIDE sites using Yahoo's Advertising CDN.
Which STILL PROVES MY POINT.
Lax (Score:3)
Well, you need a lax [wiktionary.org] SWF policy to allow the SWFs to swim upstream and spawn.
crap coding (Score:2)
Of all the email front ends that I have ever used, I have nothing but slowness and crashes from Yahoo no matter what platform I'm on.
Anyone else having this experience?
Re: (Score:3)
Yes, which is why I installed Thunderbird. I now still have my old 10+ year old email address and a stable email client. My phone's email client works well with the yahoo email as well.
Just install a real email client and your problems vanish.
Est.1998 (Score:1)
A flash vulnerability? (Score:3)
I'm completely shocked to hear this.
No, wait, I'm not surprised at all. Flash has been a security hole for as long as it has existed.
I don't understand why people let web sites run arbitrary code. Adobe made a horrible platform from a security perspective, and it's been pretty much constantly in the headlines since.
I honestly don't know why people continue to trust the damned thing, and can't believe the sheer number of times I've heard it's been a vector for security holes. Donzens? Hundreds?
Seriously, just stop running the damned thing.
Again I ask... (Score:1)
Why does Yahoo still exist?
Re: (Score:2)
Re: (Score:1)
So their business model is people that don't adapt well to new tech, sounds shaky.
Additionally, Yahoo Answers is one of the worst places to get information IME.
Re: (Score:2)
Re: (Score:1)
By definition "new tech" can not be lagging, and no I just use gmail's "Inbox" although I own a domain name and could easily set up my own server why bother?
I guess a simpler way to say it is "What does Yahoo offer anyone they can't get somewhere else", and better at that.
Re: (Score:2)
It isn't just slow migration. Yahoo has been contracted to manage email for a lot of older ISPs, they host mail for a whole lot more than just @yahoo.com users. There are millions of people who use the Yahoo Mail interface because that's what their ISP switched to.
For example, 20 years ago I had a dialup internet account through my telco at the time, BellSouth. My email address from that service, which I still have, is @bellsouth.net. BellSouth no longer exists, it was swallowed back into ATT when the gover
insert security issue here (Score:2)
When slashdot was useful... (Score:2)
I remember the days when the highest rated comment on Slashdot would be a nice summary of the salient point of the article with some insightful agreement or disagreement.