Original URL: https://www.theregister.com/2003/12/11/yahoo_fixes_web_mail_vuln/

Yahoo! fixes Web mail vuln

Flawed script

By John Leyden

Posted in Security, 11th December 2003 11:50 GMT

Yahoo! has closed a potentially devastating security loophole in its popular Web-based email service.

The script execution vulnerability in the service could have allowed crackers to launch a worm or mobile code attacks using maliciously-constructed email messages.

Yahoo's active content filter is supposed to block the injection of any active content into Yahoo! messages but security firm Finjan Software found this safeguard was easily foiled. Web-based email services from Outblaze and Excite had the same problem.

All three services are now fixed, according to security clearing house CERT.

The flaw would have allowed an attacker to input malicious script into a seemingly normal e-mail message. Potential victims opening a malicious e-mail would be hit with a malicious code attack, providing scripting was enabled on their Web browser.

In addition to destroying files, malicious code attacks could be used to steal personal information.

More info on the malicious script execution security flaw can be found here. ®