InformAction Forums

[quote="Switchs"]Awesome thanks, I removed all my yahoo entries and just kept/added yimg.com, mail.yahoo.com, and ymail.com like you said and I'm not getting the warning pop up and the site is working fine. thanks again[/quote]
You're quite welcome.

This vulnerability affects all browsers AFAIK, so please help spread the word to everyone you know, or in any relevant forums:
Firefox or Seamonkey plus NoScript is the best protection available for this issue -- and for many others, known or future. :)

Awesome thanks, I removed all my yahoo entries and just kept/added yimg.com, mail.yahoo.com, and ymail.com like you said and I'm not getting the warning pop up and the site is working fine. thanks again

Putting the entries inside Code tags should help with the spam filter.

However, there is a [url=http://krebsonsecurity.com/2013/01/facebook-yahoo-fix-valuable-ecurity-hole/]known cross-site scripting vulnerability in Yahoo e-mail[/url]. Yahoo claims to have fixed it, but [url=http://thenextweb.com/insider/2013/01/07/yahoo-mail-users-hit-by-widespread-hacking-xss-exploit-seemingly-to-blame/]security researchers beg to differ[/url].

I don't get this XSS message, because I tighten Yahoo permissions versus the default whitelist.
The default whitelist includes:

[b]yahoo.com
yimg.com
yahooapis.com[/b]

I delete [b]yahoo.com[/b] and [b]yahooapis.com[/b], and add this tighter whitelist entry:

[b]mail.yahoo.com[/b]

-- allowing only the mail sub-domain versus the entire Yahoo universe.

and add

[b]ymail.com[/b]

which at some time was needed for handling attachments. It may or may not be now -- they keep changing how they handle attachments. :roll:

Since I don't wish to show the "userstatus", messenger, etc., [b]yahooapis [/b]seems to be needed only to edit account settings, address book, etc. So I Temp-Allow it for those rare occasions, then [i]Revoke temporary permissions[/i] afterward.

This worked fine up until a week or two ago, when it became impossible to sign in to Yahoo mail without also temp-allowing
[b]yahoo.com[/b]

So I T-A it, log in, then revoke it. Once logged in, the revoking of [b]yahoo.com [/b]does not seem to affect anything.

A bit of a PITA, but it seems to prevent not only the exploit, but also the NoScript message about blocking it. Let's all be thankful to NS's excellent XSS protection for (apparently) preventing us from becoming victims of this widespread attack. Too bad that Yahoo can't seem to secure their site.

Changed the topic title to reflect that this is a known vulnerability.

Alright I found 2 entries but when I submit this post its saying I'm trying to post spam, I guess its because the second entry is huge so I'm only posting the first entry.

[NoScript XSS] Sanitized suspicious request. Original URL [http://hsrd.yahoo.com/_ylt=Ah5s964R1wgtIbjUmAB1kJibvZx4/SIG=13ubjkei9/EXP=1358104370/**https%3A//login.yahoo.com/config/login%3F.src=fpctx%26.intl=us%26.done=http%253A%252F%252Fwww.yahoo.com%252F] requested from [http://www.yahoo.com/]. Sanitized URL: [http://hsrd.yahoo.com/_ylt%20Ah5s964R1wgtIbjUmAB1kJibvZx4/SIG%2013ubjkei9/EXP%201358104370/**https://login.yahoo.com/config/login%3F.src%20fpctx&.intl%20us&.done%20http://www.yahoo.com/#4564739875330013285].

Open Error Console (Ctrl+J), copy the contents of the associated XSS message from there & paste here.

Hi, everytime I go to log into my yahoo email I get a pop up saying noscript filtered a potential cross-site scripting (xss) attempt yahoo.com, is this something I shouldn't ignore? any help is greatly appreciated