Yahoo Fixes Critical Mail Flaw
In a worst case scenario, the flaw enabled hackers to hijack users' sessions and infiltrate their private accounts, as well as overtake operations in Yahoo Mail, if it was exploited.
The cross site scripting vulnerability, which occurs between the interaction of the Yahoo Messenger desktop application and the Yahoo Messenger instant messaging client, was first detected May 23 by security researchers at Cenzic, a Santa Clara, Calif.-based security company.
Cenzic researchers said that they have only just now released an advisory that warns users of the issue because of their vulnerability disclosure policy, stipulating that security personnel are required to notify the vendor first after a security flaw has been detected.
However, this vulnerability is particularly unique, experts say. In order to execute an attack, the cyber criminals would have to obtain some type of "buddy" status with their victim, which could be acquired through a known contact or via a spoofed e-mail address, experts say.
"They definitely have to know you," said Mandeep Khera, vice president of marketing for Cenzic. "They can also take a generic IM identity and figure out what your ID is, log in and start chatting with you."
Specifically, the Yahoo error allows an attacker using the Messenger desktop application 8.1.0.209 to engage in an IM chat session with the unsuspecting user, which will open a new chat tab in the victim's browser while he or she is using the Messenger support in the new Yahoo Mail Web application. Attackers can then change to an "invisible" status, pretending to log out, which will result in a message of "offline" in the victim's chat tab.
The attacker could stealthily execute an attack by sending a targeted message to the victim's machine that contains malicious code and then pretending to come back "online" with the script executed in the Yahoo Mail message.
The attacker could potentially achieve unauthorized access to users' login credentials, and subsequently steal their online Yahoo identity to gain access to personal information, Khera said.
Yahoo confirmed that it fixed the flaw June 13. "We are aware of the Cross-Site Scripting vulnerability recently discovered in Yahoo! Mail and we resolved the issue by June 13. To our knowledge the vulnerability was not exploited and users were not impacted. Yahoo! takes user security seriously as we continue our efforts to combat potential threats," Yahoo said in a written statement.
Khera echoed that so far, he had not heard of active exploits that occurred as a result of the error, but said that an attack was not outside of the range of possibility in light of Yahoo Mail's extensive user base.
"There are roughly quarter of a billion Yahoo Mail users," said Khera. "It could have affected a few of those. We just don't know."