Yahoo Plugs Security Hole In Web-Mail Service

The flaw could have let attackers destroy files and steal personal information.

George V. Hulme, Contributor

December 10, 2003

1 Min Read
InformationWeek logo in a gray background | InformationWeek

Yahoo Inc. has fixed a security flaw in its Yahoo Mail service that could have let attackers destroy files and steal personal information--virtually anything a user types, including passwords, user names, and credit-card information. People using the Yahoo Mail service and had scripting enabled on their Web browsers were vulnerable to attack.

Malicious scripts used to attack these flaws are often written in ActiveX, HTML, Java, JavaScript, and VB Script.

The malicious script execution flaw was reported to Yahoo on Nov. 11, the company says. The flaw was fixed on Yahoo's servers and doesn't require customers to take any action.

The flaw was discovered by the Mobile Code Research Center at security firm Finjan Software Ltd.

In a statement, Yahoo said it takes security very seriously and "employs rigorous and aggressive measures to help protect our users.

"We are unaware of any users who were affected by the issue which no longer affects Yahoo Mail," the statement read.

Just last week, security researchers warned of a flaw in Yahoo's instant-messaging app that could allow attackers access to users' systems. That flaw has also been fixed.

Read more about:

20032003

About the Author

George V. Hulme

Contributor

An award winning writer and journalist, for more than 20 years George Hulme has written about business, technology, and IT security topics. He currently freelances for a wide range of publications, and is security blogger at InformationWeek.com.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights