CROSS-SITE SCRIPTING VULNERABILITY IN YAHOO E-MAIL

Ask for help about NoScript, no registration needed to post
Switchs
Posts: 3
Joined: Fri Jan 11, 2013 6:56 pm

CROSS-SITE SCRIPTING VULNERABILITY IN YAHOO E-MAIL

Post by Switchs » Fri Jan 11, 2013 7:00 pm

Hi, everytime I go to log into my yahoo email I get a pop up saying noscript filtered a potential cross-site scripting (xss) attempt yahoo.com, is this something I shouldn't ignore? any help is greatly appreciated
Last edited by Tom T. on Mon Jan 14, 2013 5:32 am, edited 1 time in total.
Reason: edited title to alert community that this is an actual, known attack in progress
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0

User avatar
therube
Ambassador
Posts: 7719
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Noscript Filtered cross site scripting?

Post by therube » Fri Jan 11, 2013 9:23 pm

Open Error Console (Ctrl+J), copy the contents of the associated XSS message from there & paste here.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 5.1; rv:19.0) Gecko/20100101 Firefox/19.0 SeaMonkey/2.16a2

Switchs
Posts: 3
Joined: Fri Jan 11, 2013 6:56 pm

Re: Noscript Filtered cross site scripting?

Post by Switchs » Sat Jan 12, 2013 7:20 pm

Alright I found 2 entries but when I submit this post its saying I'm trying to post spam, I guess its because the second entry is huge so I'm only posting the first entry.

[NoScript XSS] Sanitized suspicious request. Original URL [http://hsrd.yahoo.com/_ylt=Ah5s964R1wgtIbjUmAB1kJibvZx4/SIG=13ubjkei9/EXP=1358104370/**https%3A//login.yahoo.com/config/login%3F.src=fpctx%26.intl=us%26.done=http%253A%252F%252Fwww.yahoo.com%252F] requested from [http://www.yahoo.com/]. Sanitized URL: [http://hsrd.yahoo.com/_ylt%20Ah5s964R1wgtIbjUmAB1kJibvZx4/SIG%2013ubjkei9/EXP%201358104370/**https://login.yahoo.com/config/login%3F.src%20fpctx&.intl%20us&.done%20http://www.yahoo.com/#4564739875330013285].
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Noscript Filtered cross site scripting?

Post by Tom T. » Mon Jan 14, 2013 5:31 am

Putting the entries inside Code tags should help with the spam filter.

However, there is a known cross-site scripting vulnerability in Yahoo e-mail. Yahoo claims to have fixed it, but security researchers beg to differ.

I don't get this XSS message, because I tighten Yahoo permissions versus the default whitelist.
The default whitelist includes:

yahoo.com
yimg.com
yahooapis.com


I delete yahoo.com and yahooapis.com, and add this tighter whitelist entry:

mail.yahoo.com

-- allowing only the mail sub-domain versus the entire Yahoo universe.

and add

ymail.com

which at some time was needed for handling attachments. It may or may not be now -- they keep changing how they handle attachments. :roll:

Since I don't wish to show the "userstatus", messenger, etc., yahooapis seems to be needed only to edit account settings, address book, etc. So I Temp-Allow it for those rare occasions, then Revoke temporary permissions afterward.

This worked fine up until a week or two ago, when it became impossible to sign in to Yahoo mail without also temp-allowing
yahoo.com

So I T-A it, log in, then revoke it. Once logged in, the revoking of yahoo.com does not seem to affect anything.

A bit of a PITA, but it seems to prevent not only the exploit, but also the NoScript message about blocking it. Let's all be thankful to NS's excellent XSS protection for (apparently) preventing us from becoming victims of this widespread attack. Too bad that Yahoo can't seem to secure their site.

Changed the topic title to reflect that this is a known vulnerability.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:18.0) Gecko/20100101 Firefox/18.0

Switchs
Posts: 3
Joined: Fri Jan 11, 2013 6:56 pm

Re: CROSS-SITE SCRIPTING VULNERABILITY IN YAHOO E-MAIL

Post by Switchs » Mon Jan 14, 2013 6:30 am

Awesome thanks, I removed all my yahoo entries and just kept/added yimg.com, mail.yahoo.com, and ymail.com like you said and I'm not getting the warning pop up and the site is working fine. thanks again
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: CROSS-SITE SCRIPTING VULNERABILITY IN YAHOO E-MAIL

Post by Tom T. » Mon Jan 14, 2013 6:56 am

Switchs wrote:Awesome thanks, I removed all my yahoo entries and just kept/added yimg.com, mail.yahoo.com, and ymail.com like you said and I'm not getting the warning pop up and the site is working fine. thanks again

You're quite welcome.

This vulnerability affects all browsers AFAIK, so please help spread the word to everyone you know, or in any relevant forums:
Firefox or Seamonkey plus NoScript is the best protection available for this issue -- and for many others, known or future. :)
Mozilla/5.0 (Windows NT 5.1; rv:18.0) Gecko/20100101 Firefox/18.0

Post Reply