USNCVA - Now Read This

NOW READ THIS
("Security Advisory")

Go Back

Submitted by: Bill Hickey
NCVA Listmaster

NRT-0627 Hackers use cross site scripting error to exploit Yahoo domain:

A Cross Site Scripting (XSS) error in Yahoo's 'hotjobs.yahoo.com' domain allowed hackers to exploit users' Yahoo Mail accounts and other restricted areas of Yahoo's Web site, according to press reporting. Paul Mutton ‑ an Internet services developer for Netcraft who helped discover the XSS exploit ‑ said the hackers exploited the XSS vulnerability using 'hot jobs' URLs that contained a long series of digits. When transformed into Javascript, the booby‑trapped URLs redirected users to a blank Web page on a different domain.

Once a user has been re‑directed, the damage is done: a victim need not enter a user name or password, because simply visiting the blank page allowed the hackers to steal authentication cookies that act as universal keys across the entire yahoo.com domain. Access to the Yahoo cookies provided the hackers with broad control over users Yahoo accounts, including Yahoo Mail and any other service belonging to the yahoo.com domain that uses authentication cookies.

In September 2008, 'bankofamerica.com,' 'register.com,' 'netflix.com' and dozens of other Web sites were caught transmitting authentication credentials that were vulnerable to a new tool called 'CookieMonster,' according to the report. The report noted that Web sites can defeat CookieMonster attacks by using HTTPS‑only cookies.

[theregister.co.uk, 27OCT08]

Last Modified: Friday, 14-Nov-2008 07:13:14 EST

NOW READ THIS ("Security Advisory")

NRT-0627 Hackers use cross site scripting error to exploit Yahoo domain:

NOW READ THIS
("Security Advisory")