Security Experts:

Connect with us

Hi, what are you looking for?



Yahoo Toolbar Causes XSS for Major Online Services: Researcher

Yahoo has fixed a bug in Yahoo Toolbar that generated a stored cross-site scripting (XSS) vulnerability in several important online services.

Yahoo has fixed a bug in Yahoo Toolbar that generated a stored cross-site scripting (XSS) vulnerability in several important online services.

 The issue, identified by California-based security researcher Behrouz Sadeghipour, affected not only Yahoo services, but also Flickr, Google, YouTube, Twitter, Amazon, Pinterest and many others. Sadeghipour discovered the Yahoo Toolbar flaw when he realized that some of the XSS payloads he had previously set were all of a sudden triggered only on a computer which had the application installed.

Initially, the researcher thought only Flickr was affected, but since Yahoo hadn’t responded to his reports, he continued performing tests. That’s when he realized that Yahoo Toolbar triggered the XSS payload on numerous popular services.

“Anyone using Y! Toolbar could simply get their Yahoo, Google, YouTube, and other services hijacked by visiting any of those websites containing an XSS vector. Since these are highly reputable websites, it makes it easier for attackers to hijack accounts due to the fact that reputation and websites that contains a malicious code designed for an attack,” Sadeghipour explained in a blog post.

Yahoo was informed of the vulnerability on May 17, and fixed the issue on May 30 with the release of a new version of the toolbar.

Sadeghipour told SecurityWeek that he only managed to conduct tests on Chrome because Yahoo addressed the bug before he could try to replicate the results on other Web browsers.

This isn’t the first time Sadeghipour has found XSS vulnerabilities affecting Yahoo services. In May, he identified an XSS flaw impacting the comments section on hundreds of Yahoo pages. An attacker simply had to post malicious code as a comment and it would get executed whenever someone accessed the page containing it.

POC Video is embedded below:

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.