XSS @ mail.yahoo.com

Post by **therube** » Wed Aug 29, 2012 7:41 pm

XSS @ http://mail.yahoo.com

"Signed out*" of yahoo &...

[NoScript InjectionChecker] JavaScript Injection in ///_ylt=At_ic0tRpmwzS4OCfWdAV.../SIG=14s5ts.../EXP=1347478466/**http%3A//login.yahoo.com/config/login%3Flogout=1%26.direct=2%26.done=http%3A//www.yahoo.com%26amp;.src=ym%26amp;.intl=us%26amp;.lang=en-US
(function anonymous() {
EXP=1347478.../**http`//login.yahoo.com/config/login`=1%26.direct=2%26.done=http`//www.yahoo.com`;.src=ym` /* COMMENT_TERMINATOR */
DUMMY_EXPR
})

Code: Select all

[NoScript XSS] Sanitized suspicious request. Original URL [http://us.lrd.yahoo.com/_ylt=At_ic0tRpmwzS4OCfWdAV.../SIG=14s5ts.../EXP=1347478.../**http%3A//login.yahoo.com/config/login%3Flogout=1%26.direct=2%26.done=http%3A//www.yahoo.com%26amp;.src=ym%26amp;.intl=us%26amp;.lang=en-US] requested from [http://us.mc1614.mail.yahoo.com/mc/welcome?.gx=1&.tm=1346268...&.rand=43in9dbqu2...]. Sanitized URL: [http://us.lrd.yahoo.com/_ylt%20At_ic0tRpmwzS4OCfWdAV......./SIG%2014s5tsn5r/EXP%201347478.../**http://login.yahoo.com/config/login%3Flogout%201&.direct%202&.done%20http://www.yahoo.com&.src%20ym&.intl%20us&.lang%20en-US#793610026257...].

*Actually it did NOT sign me out.
(I did nothing with the XSS prompt warning.)
It does go to a "login" page, https://login.yahoo.com/config/login_verify2?logout%201&.direct%202&.done%20http://www.yahoo.com&.src%20ym&.intl%20us&.lang%20en-US#786451552263..., but in fact you are not logged out at that point.

On this screen, there is again a "Sign out" link, & if you then click that, there is no XSS warning, & you are in fact logged out at that point:

Post by **Tom T.** » Sat Sep 01, 2012 6:52 am

Fast answer that WFM, may not suit you:
Since mail is the only Yahoo service to which I log in (I use others, but as a guest), I merely used HOSTS to block www.yahoo.com.
Then signing out of mail, the annoying redirect to main yahoo page gets a "can't connect" message. Done. Go elsewhere.

If you use other Yahoo while signed in, this wouldn't work, and doesn't explain your original XSS message anyway.
But it surely simplifies things for me.

Post by **therube** » Wed Sep 05, 2012 5:48 pm

Appears it is happening in FF >16

Post by **Tom T.** » Thu Sep 06, 2012 4:30 am

therube wrote:Appears it is happening in FF >16

Same with equivalent versions of SM? Newer break, old works?
If you can nail it down to Fx > 16 only, sounds like either a MZ bug or something for Giorgio to look into.

Post by **therube** » Thu Sep 06, 2012 1:12 pm

Yes, equivalent version of SeaMonkey (2.14a).

Post by **Tom T.** » Thu Sep 06, 2012 10:35 pm

If no response soon, perhaps you might PM Giorgio to see if he can reproduce, find >16 bug, whatever?

Ripcord · Post by **Ripcord** » Sat Nov 24, 2012 4:56 am

I too started getting this 'confirm password' from Yahoo mail, when logging out. I first noticed it after upgrading to FF 17.0. I've no idea if it is a NoScript issue, FF or Yahoo. Is it more or less a coincidence that I'm also reading about a Yahoo mail XSS exploit so much in the news at the same time? Any clarification would be greatly appreciated!

Post by **Tom T.** » Mon Jan 14, 2013 5:55 am

http://forums.informaction.com/viewtopi ... 982#p46982

InformAction Forums

XSS @ mail.yahoo.com

XSS @ mail.yahoo.com

Re: XSS @ mail.yahoo.com

Re: XSS @ mail.yahoo.com

Re: XSS @ mail.yahoo.com

Re: XSS @ mail.yahoo.com

Re: XSS @ mail.yahoo.com

Re: XSS @ mail.yahoo.com

Re: XSS @ mail.yahoo.com