Please create an account to participate in the Slashdot moderation system


Forgot your password?
Yahoo! Bug Communications Security

Yahoo Fixes Bug That Could Compromise Email Accounts When Opening an Email ( 37

An anonymous reader writes: Yahoo! has fixed a cross-site scripting bug that would have allowed attackers to fully compromise email accounts just by sending a malicious email. To lose control over their accounts, victims needed only to open the email. The researcher who discovered the bug said, "The code would be automatically evaluated when the message was viewed. ... We provided Yahoo with a proof of concept email that would forward the victim user's inbox to an external website, and an email virus which infects the Yahoo Mail account and attaches itself to all outgoing emails. The bug was fixed before any known exploits 'in the wild.'" Yahoo!'s bounty program awarded $10,000 for the research.
This discussion has been archived. No new comments can be posted.

Yahoo Fixes Bug That Could Compromise Email Accounts When Opening an Email

Comments Filter:
  • The number of people affected were 5 of the 11 people who still use Yahoo! mail.
  • This fix will make it harder to get my hot ex-gf's nudie pics.

  • I take it you have to run a script in the email while reading it with the Yahoo web client open, so using a local client is safe. (I don't open mail from people I don't know anyway... and even then, scripts and images are disabled in my client.)

    I was able to get, so not only do I still use it, but I pay $20 annually for IMAP/SMTP access. I use Thunderbird or iOS Mail to read my mail and only rarely and occasionally use the web client to read mail.

    However, their stupid secu

    • How are they going to serve you adds?

    • I just checked my Thunderbird settings and I use IMAP and SMTP access with my Yahoo account and I don't pay $20/year or log in monthly.
      • Interesting. Thank you for that info.

        Is that for a mobile device only or do you use a PC-based client?

        • This is on a Windows 10 desktop using Thunderbird. I use my email and password:
 Port:933 SSL/TLS, normal password
 Port:465 SSL/TLS, normal password
          My android phone uses the same settings.
  • ... assuming only the yahoo domains were allowed?

  • Yahoo, a multi-million, possibly billion dollar company can't secure their own goddamn webmail, and this is after having ~20 years of experience in being an email provider.

    Fucking fabulous, great job guys, you da man.

The Force is what holds everything together. It has its dark side, and it has its light side. It's sort of like cosmic duct tape.