Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Yahoo Toolbar Causes XSS for Major Online Services: Researcher

Yahoo has fixed a bug in Yahoo Toolbar that generated a stored cross-site scripting (XSS) vulnerability in several important online services.

Yahoo has fixed a bug in Yahoo Toolbar that generated a stored cross-site scripting (XSS) vulnerability in several important online services.

 The issue, identified by California-based security researcher Behrouz Sadeghipour, affected not only Yahoo services, but also Flickr, Google, YouTube, Twitter, Amazon, Pinterest and many others. Sadeghipour discovered the Yahoo Toolbar flaw when he realized that some of the XSS payloads he had previously set were all of a sudden triggered only on a computer which had the application installed.

Initially, the researcher thought only Flickr was affected, but since Yahoo hadn’t responded to his reports, he continued performing tests. That’s when he realized that Yahoo Toolbar triggered the XSS payload on numerous popular services.

“Anyone using Y! Toolbar could simply get their Yahoo, Google, YouTube, and other services hijacked by visiting any of those websites containing an XSS vector. Since these are highly reputable websites, it makes it easier for attackers to hijack accounts due to the fact that reputation and websites that contains a malicious code designed for an attack,” Sadeghipour explained in a blog post.

Yahoo was informed of the vulnerability on May 17, and fixed the issue on May 30 with the release of a new version of the toolbar.

Sadeghipour told SecurityWeek that he only managed to conduct tests on Chrome because Yahoo addressed the bug before he could try to replicate the results on other Web browsers.

This isn’t the first time Sadeghipour has found XSS vulnerabilities affecting Yahoo services. In May, he identified an XSS flaw impacting the comments section on hundreds of Yahoo pages. An attacker simply had to post malicious code as a comment and it would get executed whenever someone accessed the page containing it.

POC Video is embedded below:

Advertisement. Scroll to continue reading.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

Xage Security has appointed Russell McGuire as CRO and Ashraf Daqqa as VP of the META region.

Solana co-founder Stephen Akridge has been appointed the CEO of data protection firm Cyber Grant.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.