Bugtraq mailing list archives
XSS on Yahoo Mail
From: Richard Fuchshuber <richardfuch () yahoo com br>
Date: Wed, 23 Nov 2005 14:44:34 -0300 (ART)
Hi, I've noticed a strange behavior in "Yahoo! Mail" when dealing with html attachments. It's possible to insert data into the "Yahoo! Mail" html interface. For example, with the following code in an html attachment it's possible to insert "Your profile is out of date, please update clicking here" above the button "Check Mail". <? <TABLE border="1" cellspacing="1" cellpadding="0"> <TR>Your profile is out of date, please update <a href="www.blabla.com">clicking here.</a></TR> </TABLE> I think this could be used in phishing scam. For a screenshot, see [1]. The circulated text was inserted into interface of the "Yahoo! Mail" through an email with the above code as an html attachment. I tried to contact "Yahoo!" several times, without success. [1] - http://richard.computeiro.com/yahoo_bug.jpg _______________________________________________________ Yahoo! Acesso Grátis: Internet rápida e grátis. Instale o discador agora! http://br.acesso.yahoo.com/
Current thread:
- XSS on Yahoo Mail Richard Fuchshuber (Nov 23)
- RE: XSS on Yahoo Mail Will Wesley (Nov 24)
- Re: XSS on Yahoo Mail Steven Champeon (Nov 26)
- Re: XSS on Yahoo Mail Will Wesley (Nov 26)
- Re: XSS on Yahoo Mail Jim Ley (Nov 26)
- RE: XSS on Yahoo Mail Richard Fuchshuber (Nov 26)
- Re: XSS on Yahoo Mail Steven Champeon (Nov 26)
- Re: XSS on Yahoo Mail Personal Account (Nov 26)
- <Possible follow-ups>
- Re: XSS on Yahoo Mail little . hacker (Nov 26)
- Re: XSS on Yahoo Mail Matan Peled (Nov 26)
- Re: XSS on Yahoo Mail alireza hassani (Nov 26)
- Re: XSS on Yahoo Mail Lance James (Nov 28)
- RE: XSS on Yahoo Mail Will Wesley (Nov 24)