Bugtraq mailing list archives

Re: XSS on Yahoo Mail

From: Personal Account <jetflash () hotpop com>
Date: Wed, 23 Nov 2005 20:23:19 -0500

Doing mouse over shows the truth.

On Wed, 2005-11-23 at 12:44, Richard Fuchshuber wrote:

  Hi,

I've noticed a strange behavior in "Yahoo! Mail" when dealing with html
attachments. It's possible to insert data into the "Yahoo! Mail" html
interface.

For example, with the following code in an html attachment it's possible
to insert "Your profile is out of date, please update clicking here" above
the button "Check Mail".

<?
<TABLE border="1" cellspacing="1" cellpadding="0">
<TR>Your profile is out of date, please update <a
href="www.blabla.com">clicking here.</a></TR>
</TABLE>

I think this could be used in phishing scam.

For a screenshot, see [1]. The circulated text was inserted into interface
of the "Yahoo!  Mail" through an email  with the above code  as an html
attachment.

I tried to contact "Yahoo!" several times, without success.


[1] - http://richard.computeiro.com/yahoo_bug.jpg





      



      
              
_______________________________________________________ 
Yahoo! Acesso Grátis: Internet rápida e grátis. 
Instale o discador agora!
http://br.acesso.yahoo.com/

Current thread:

XSS on Yahoo Mail Richard Fuchshuber (Nov 23)
- RE: XSS on Yahoo Mail Will Wesley (Nov 24)
  - Re: XSS on Yahoo Mail Steven Champeon (Nov 26)
    - Re: XSS on Yahoo Mail Will Wesley (Nov 26)
  - Re: XSS on Yahoo Mail Jim Ley (Nov 26)
  - RE: XSS on Yahoo Mail Richard Fuchshuber (Nov 26)
- Re: XSS on Yahoo Mail Personal Account (Nov 26)
- <Possible follow-ups>
- Re: XSS on Yahoo Mail little . hacker (Nov 26)
  - Re: XSS on Yahoo Mail Matan Peled (Nov 26)
- Re: XSS on Yahoo Mail alireza hassani (Nov 26)
  - Re: XSS on Yahoo Mail Lance James (Nov 28)