If not for Cenzic’s CIA [Cenzic Intelligent Analysis] Research Lab which notified Yahoo on May 23 that Yahoo Mail is facing serious risk from online attackers due to a Cross Site Scripting (XSS) vulnerability, millions of Yahoo mail users might have been victimized already.
XSS flaws are said to be the most common and risky vulnerability encountered by Web-based applications which when not fixed immediately, opens up opportunities for attackers to steal users’ information or worst infect their machines with malicious code.
The good thing is, Yahoo quickly fixed the XSS vulnerability reported by Cenzic last June 13. It also said that Yahoo did not receive any complaints from Yahoo Mail and Messenger users who were affected negatively by the XSS vulnerability.
It would have been the end of story but Cenzic analysts would not be convinced that easily and thinks that with the billion of Yahoo Mail users, there’s a good chance that some of these billion were affected stealthly by the XSS flaw, especially today when attackers are getting better with their malicious attacks to online users.
In case you’re wondering how this XSS vulnerability attacks Yahoo Mail and Yahoo Messenger users, here’s how Cenzic analysts explains it:
According to Cenzic’s description of the XSS vulnerability, while chatting, an attacker could have changed their status to ‘invisible’ which would trigger an ‘offline’ message in the users chat tab.
“The vulnerability occurred when the attacker then changed status, and sent a custom message containing a malicious string in the form of a status message of “online,” with the script executed in the context of Yahoo Mail on the victim’s machine,” Cenzic noted in its advisory.
“This allowed an attacker to get active access to the victim’s session ID, and in turn steal their Yahoo identity, exposing sensitive personal information stored in their Yahoo account.”
It looks like Yahoo is getting its hands full of problems and issues here and there lately. Aside from the successive resignation of its top employees, threats from external parties, and shareholders’ growing discontent with the way things are going, we would not be surprised if Yahoo announces what seems to be inevitable. What is it? You’re guess is as good as mine.