Researchers at Cenzic discovered a vulnerability in Yahoo Mail that could allow attackers to steal Yahoo identities and potentially access users’ sensitive information.
The company, a Web application security provider based in Santa Clara, Calif., notified Yahoo of the cross-site scripting flaw in its popular Web mail program on May 23, and Yahoo fixed it on June 13.
The vulnerability requires the attacker to use Yahoo Messenger desktop application version 126.96.36.199 to chat with someone using the Messenger support in the latest version of Yahoo Mail. An attacker can make their chat status “invisible” and craft a malicious message; when he/she returns to the chat and the user clicks on the message, the malicious scripting is executed, said Mandeep Khera, Cenzic vice president of marketing.
The vulnerability could allow an attacker to access a Yahoo Mail user’s session ID and steal their Yahoo identity, which could expose sensitive information stored in their Yahoo account, according to Cenzic.
Cenzic researchers hadn’t heard of any actual attacks exploiting the vulnerability, but Khera said he wouldn’t be surprised if attackers had figured it out and were keeping it quiet. Attackers prefer to quietly exploit vulnerabilities for financial gain, he said.