Re: XSS on Yahoo Mail
Doing mouse over shows the truth.
On Wed, 2005-11-23 at 12:44, Richard Fuchshuber wrote:
> Hi,
>
> I've noticed a strange behavior in "Yahoo! Mail" when dealing with html
> attachments. It's possible to insert data into the "Yahoo! Mail" html
> interface.
>
> For example, with the following code in an html attachment it's possible
> to insert "Your profile is out of date, please update clicking here" above
> the button "Check Mail".
>
> <?
> <TABLE border="1" cellspacing="1" cellpadding="0">
> <TR>Your profile is out of date, please update <a
> href="www.blabla.com">clicking here.</a></TR>
> </TABLE>
>
> I think this could be used in phishing scam.
>
> For a screenshot, see [1]. The circulated text was inserted into interface
> of the "Yahoo! Mail" through an email with the above code as an html
> attachment.
>
> I tried to contact "Yahoo!" several times, without success.
>
>
> [1] - http://richard.computeiro.com/yahoo_bug.jpg
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________________
> Yahoo! Acesso Grátis: Internet rápida e grátis.
> Instale o discador agora!
> http://br.acesso.yahoo.com/
>