Yahoo fixes mail hole
Date: August 17, 2006Source: vnunet.com
By:
Yahoo has fixed a potential security flaw in its email service that could have allowed hackers to hijack Yahoo email accounts.
The problem was discovered earlier in August by Nir Goldshlager and Roni Bahar of Israeli security company Avnet.
The security hole required hackers to create an HTML attachment with different encoding schemes to bypass Yahoo Mail's security filter and then execute JavaScript code to download the recipient's mail cookie.
Once acquired, the cookie would provide access to the email session and hence the email inbox to read, send and delete emails.
A recipient would have to open only the malicious email, not the attachment too.
Although the mail cookie would not have given the hacker password control over the email account directly, once the email session had been hijacked the hacker could have gained the password by using the facility offered by Yahoo (and all other mail providers) to email passwords to customers who have forgotten them.
Add comment
Email to a Friend
