CROSS-SITE SCRIPTING VULNERABILITY IN YAHOO E-MAIL
CROSS-SITE SCRIPTING VULNERABILITY IN YAHOO E-MAIL
Hi, everytime I go to log into my yahoo email I get a pop up saying noscript filtered a potential cross-site scripting (xss) attempt yahoo.com, is this something I shouldn't ignore? any help is greatly appreciated
Last edited by Tom T. on Mon Jan 14, 2013 5:32 am, edited 1 time in total.
Reason: edited title to alert community that this is an actual, known attack in progress
Reason: edited title to alert community that this is an actual, known attack in progress
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Re: Noscript Filtered cross site scripting?
Open Error Console (Ctrl+J), copy the contents of the associated XSS message from there & paste here.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 5.1; rv:19.0) Gecko/20100101 Firefox/19.0 SeaMonkey/2.16a2
Re: Noscript Filtered cross site scripting?
Alright I found 2 entries but when I submit this post its saying I'm trying to post spam, I guess its because the second entry is huge so I'm only posting the first entry.
[NoScript XSS] Sanitized suspicious request. Original URL [http://hsrd.yahoo.com/_ylt=Ah5s964R1wgt ... o.com%252F] requested from [http://www.yahoo.com/]. Sanitized URL: [http://hsrd.yahoo.com/_ylt%20Ah5s964R1w ... 5330013285].
[NoScript XSS] Sanitized suspicious request. Original URL [http://hsrd.yahoo.com/_ylt=Ah5s964R1wgt ... o.com%252F] requested from [http://www.yahoo.com/]. Sanitized URL: [http://hsrd.yahoo.com/_ylt%20Ah5s964R1w ... 5330013285].
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Re: Noscript Filtered cross site scripting?
Putting the entries inside Code tags should help with the spam filter.
However, there is a known cross-site scripting vulnerability in Yahoo e-mail. Yahoo claims to have fixed it, but security researchers beg to differ.
I don't get this XSS message, because I tighten Yahoo permissions versus the default whitelist.
The default whitelist includes:
yahoo.com
yimg.com
yahooapis.com
I delete yahoo.com and yahooapis.com, and add this tighter whitelist entry:
mail.yahoo.com
-- allowing only the mail sub-domain versus the entire Yahoo universe.
and add
ymail.com
which at some time was needed for handling attachments. It may or may not be now -- they keep changing how they handle attachments.
Since I don't wish to show the "userstatus", messenger, etc., yahooapis seems to be needed only to edit account settings, address book, etc. So I Temp-Allow it for those rare occasions, then Revoke temporary permissions afterward.
This worked fine up until a week or two ago, when it became impossible to sign in to Yahoo mail without also temp-allowing
yahoo.com
So I T-A it, log in, then revoke it. Once logged in, the revoking of yahoo.com does not seem to affect anything.
A bit of a PITA, but it seems to prevent not only the exploit, but also the NoScript message about blocking it. Let's all be thankful to NS's excellent XSS protection for (apparently) preventing us from becoming victims of this widespread attack. Too bad that Yahoo can't seem to secure their site.
Changed the topic title to reflect that this is a known vulnerability.
However, there is a known cross-site scripting vulnerability in Yahoo e-mail. Yahoo claims to have fixed it, but security researchers beg to differ.
I don't get this XSS message, because I tighten Yahoo permissions versus the default whitelist.
The default whitelist includes:
yahoo.com
yimg.com
yahooapis.com
I delete yahoo.com and yahooapis.com, and add this tighter whitelist entry:
mail.yahoo.com
-- allowing only the mail sub-domain versus the entire Yahoo universe.
and add
ymail.com
which at some time was needed for handling attachments. It may or may not be now -- they keep changing how they handle attachments.
Since I don't wish to show the "userstatus", messenger, etc., yahooapis seems to be needed only to edit account settings, address book, etc. So I Temp-Allow it for those rare occasions, then Revoke temporary permissions afterward.
This worked fine up until a week or two ago, when it became impossible to sign in to Yahoo mail without also temp-allowing
yahoo.com
So I T-A it, log in, then revoke it. Once logged in, the revoking of yahoo.com does not seem to affect anything.
A bit of a PITA, but it seems to prevent not only the exploit, but also the NoScript message about blocking it. Let's all be thankful to NS's excellent XSS protection for (apparently) preventing us from becoming victims of this widespread attack. Too bad that Yahoo can't seem to secure their site.
Changed the topic title to reflect that this is a known vulnerability.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:18.0) Gecko/20100101 Firefox/18.0
Re: CROSS-SITE SCRIPTING VULNERABILITY IN YAHOO E-MAIL
Awesome thanks, I removed all my yahoo entries and just kept/added yimg.com, mail.yahoo.com, and ymail.com like you said and I'm not getting the warning pop up and the site is working fine. thanks again
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Re: CROSS-SITE SCRIPTING VULNERABILITY IN YAHOO E-MAIL
You're quite welcome.Switchs wrote:Awesome thanks, I removed all my yahoo entries and just kept/added yimg.com, mail.yahoo.com, and ymail.com like you said and I'm not getting the warning pop up and the site is working fine. thanks again
This vulnerability affects all browsers AFAIK, so please help spread the word to everyone you know, or in any relevant forums:
Firefox or Seamonkey plus NoScript is the best protection available for this issue -- and for many others, known or future.
Mozilla/5.0 (Windows NT 5.1; rv:18.0) Gecko/20100101 Firefox/18.0