Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Yahoo! Bug Communications Security

Yahoo Fixes Bug That Could Compromise Email Accounts When Opening an Email (klikki.fi) 37

An anonymous reader writes: Yahoo! has fixed a cross-site scripting bug that would have allowed attackers to fully compromise email accounts just by sending a malicious email. To lose control over their accounts, victims needed only to open the email. The researcher who discovered the bug said, "The code would be automatically evaluated when the message was viewed. ... We provided Yahoo with a proof of concept email that would forward the victim user's inbox to an external website, and an email virus which infects the Yahoo Mail account and attaches itself to all outgoing emails. The bug was fixed before any known exploits 'in the wild.'" Yahoo!'s bounty program awarded $10,000 for the research.
This discussion has been archived. No new comments can be posted.

Yahoo Fixes Bug That Could Compromise Email Accounts When Opening an Email

Comments Filter:
  • The number of people affected were 5 of the 11 people who still use Yahoo! mail.
  • This fix will make it harder to get my hot ex-gf's nudie pics.

  • I take it you have to run a script in the email while reading it with the Yahoo web client open, so using a local client is safe. (I don't open mail from people I don't know anyway... and even then, scripts and images are disabled in my client.)

    I was able to get myfirstname.mylastname@yahoo.com, so not only do I still use it, but I pay $20 annually for IMAP/SMTP access. I use Thunderbird or iOS Mail to read my mail and only rarely and occasionally use the web client to read mail.

    However, their stupid secu

    • How are they going to serve you adds?

    • I just checked my Thunderbird settings and I use IMAP and SMTP access with my Yahoo account and I don't pay $20/year or log in monthly.
      • Interesting. Thank you for that info.

        Is that for a mobile device only or do you use a PC-based client?

        • This is on a Windows 10 desktop using Thunderbird. I use my @yahoo.com email and password:
          imap.mail.yahoo.com Port:933 SSL/TLS, normal password
          smtp.mail.yahoo.com Port:465 SSL/TLS, normal password
          My android phone uses the same settings.
  • ... assuming only the yahoo domains were allowed?

  • Yahoo, a multi-million, possibly billion dollar company can't secure their own goddamn webmail, and this is after having ~20 years of experience in being an email provider.

    Fucking fabulous, great job guys, you da man.

Why won't sharks eat lawyers? Professional courtesy.