Re: XSS on Yahoo Mail

[Personal Account <jetflash@xxxxxxxxxx>]

Doing mouse over shows the truth.

On Wed, 2005-11-23 at 12:44, Richard Fuchshuber wrote:
>   Hi,
> 
> I've noticed a strange behavior in "Yahoo! Mail" when dealing with html
> attachments. It's possible to insert data into the "Yahoo! Mail" html
> interface.
> 
> For example, with the following code in an html attachment it's possible
> to insert "Your profile is out of date, please update clicking here" above
> the button "Check Mail".
> 
> <?
> <TABLE border="1" cellspacing="1" cellpadding="0">
> <TR>Your profile is out of date, please update <a
> href="www.blabla.com">clicking here.</a></TR>
> </TABLE>
> 
> I think this could be used in phishing scam.
> 
> For a screenshot, see [1]. The circulated text was inserted into interface
> of the "Yahoo!  Mail" through an email  with the above code  as an html
> attachment.
> 
> I tried to contact "Yahoo!" several times, without success.
> 
> 
> [1] - http://richard.computeiro.com/yahoo_bug.jpg
> 
> 
> 
> 
> 
>       
> 
> 
> 
>       
>               
> _______________________________________________________ 
> Yahoo! Acesso Grátis: Internet rápida e grátis. 
> Instale o discador agora!
> http://br.acesso.yahoo.com/
>