Yahoo mends e-mail security flaw

Yahoo has fixed a flaw in its web-based e-mail service that exposed users to serious attacks, including potential interception of...

Yahoo has fixed a flaw in its web-based e-mail service that exposed users to serious attacks, including potential interception of personal data.

Security company Finjan Software said Yahoo's mail service contained a so-called malicious script execution flaw, which meant an attacker could send an e-mail containing malicious script and that code would run automatically once the user opened the message.

If successful, an attacker could delete files on a victim's computer, steal personal information such as usernames and passwords, credit card numbers and any other information a user inputs on his computer.

"The potential was huge, you could infect millions of Yahoo users within an hour," said Shlomo Touboul, Finjan's chief executive officer, adding that when the malicious script runs, the attacker gains full control of a user's machine.

The script code can be written in various programming languages, including Java, JavaScript, VB Script, Active X and HTML, according to Finjan. Yahoo has now taken steps to block most of the scripts in its e-mail service, Touboul said.

Yahoo spokeswoman Mary Osako said the company takes security very seriously and employs rigorous and aggressive measures to help protect users. "Yahoo was informed of an issue in Yahoo Mail on 11 November and quickly implemented a server-side fix which did not require users to take any action. We are unaware of any users who were affected by the issue which no longer affects Yahoo Mail," she said in a statement.

Last week researchers warned of a buffer overrun flaw in Yahoo's instant messaging product that could allow attackers to run their own code on computers running the software.

Joris Evers writes for IDG News Service 

CW+

Features

Enjoy the benefits of CW+ membership, learn more and join.

Read more on IT risk management

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close