Computer Crime Research Center


Yahoo fixes mail hole

Date: August 17, 2006
By: Andrew Charlesworth

Yahoo has fixed a potential security flaw in its email service that could have allowed hackers to hijack Yahoo email accounts.

The problem was discovered earlier in August by Nir Goldshlager and Roni Bahar of Israeli security company Avnet.

The security hole required hackers to create an HTML attachment with different encoding schemes to bypass Yahoo Mail's security filter and then execute JavaScript code to download the recipient's mail cookie.

Once acquired, the cookie would provide access to the email session and hence the email inbox to read, send and delete emails.

A recipient would have to open only the malicious email, not the attachment too.

Although the mail cookie would not have given the hacker password control over the email account directly, once the email session had been hijacked the hacker could have gained the password by using the facility offered by Yahoo (and all other mail providers) to email passwords to customers who have forgotten them.
Original article

Add comment  Email to a Friend

Copyright © 2001-2013 Computer Crime Research Center
CCRC logo