[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] [Argeniss] Alert - Yahoo! Webmail XSS
- To: "Morning Wood" <se_cur_ity@xxxxxxxxxxx>
- Subject: Re: [Full-disclosure] [Argeniss] Alert - Yahoo! Webmail XSS
- From: "Neil Davis" <rg.viza@xxxxxxxxx>
- Date: Tue, 18 Apr 2006 18:53:22 -0400
whether any of us, people who read full disclosure, and may even be
security researchers, would fall for a yahoo phish, or need to log
into yahoo, is irrelevant. The fact is that yahoo mail is vulnerable
to XSS, and less savvy users could be exploited.
Yahoo, along with all websites that accept user input, should filter
their input... it's the right thing to do, since it increases security
and prevents users from being exploited with XSS.
Depending on the user to not allow himself to be exploited is how bad
security habits are born.
If you are like me and are constantly deleting cookies (using the
mozilla extension "clear data", because I test a lot and this requires
me to delete cookies a lot) you'd have to log in every time you use
any site.
Yahoo is vulnerable to XSS attacks, so they should fix their site, period.
On 4/18/06, Morning Wood <se_cur_ity@xxxxxxxxxxx> wrote:
> > Yahoo! Mail once in a while will ask you
> > to re login again so it's not so anormal.
>
> I use Yahoo Mail, I have never once had to re-login in 4 years.
>
> dunno...
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/