Home > Internet news > Scripting glitch discovered in Yahoo and Hotmail

Scripting glitch discovered in Yahoo and Hotmail

24 March 2004

A flaw in the way web-based email services Yahoo Mail and Hotmail filter messages left users open to attack via specially crafted online scripts, a security specialist has revealed.

Microsoft claims to have plugged the hole by which hackers could potentially have stolen passwords, accessed the contents of email opened by victims or even spread worms through web email. Yahoo expects to have the flaw fixed "shortly".

Lee Dagon, director of research and development for Israeli computer security firm GreyMagic Software, released an advisory yesterday and said that the company discovered the flaw earlier this month.

Yahoo and Hotmail screen all HTML content into its servers in a bid to stop damaging scripts disrupting the systems, but GreyMagic technicians reportedly found a way to bypass the filters via an Achilles' heel in security and send potentially harmful commands.

"Hotmail and Yahoo do everything they can to prevent script from running in an email message," Mr Dagon said. "We found a way to bypass their filters in order to make script run."

The vulnerability is part of a class of problems known as cross-site scripting flaws, which use a problem in a site's security to pass potentially harmful commands to another site or a user's computer.

GreyMagic said it had used Internet Explorer "features" to demonstrate the defect.

Apply for your free web assessment - get a complete health check and optimisation action plan from Weboptimiser, the experts.


Related news

Leading brand search engine marketing since 1996

Founded in 1996 as an SEO company, Weboptimiser is today one of the Internet marketing sector's best-known and most respected search engine optimisation (SEO) and pay per click (PPC) search engine marketing companies.

With a unique portfolio of brand-friendly services, including usability, contextual advertising and web analytics, a pioneering methodology that covers all 4 stages of interaction between a web site and its visitors, we make our clients sites faster, smarter, busier and more profitable.


Leading brand search engine marketing since 1996
ABOUT US | SERVICES | RESOURCES | CONTACT US | SITE MAP

An Adwords Qualified Search Marketing Company is an award given by Google to qualifying search marketing companies.

CEO of Weboptimiser, David White, is chair of the IAB Europe search taskforce

David White, CEO of Weboptimiser Group Ltd chairs the IAB Europe Search Taskforce and serves on the IAB UK Search Council, setting the standards for the industry.


Search Engine Marketing Jobs

Click here for Search engine marketing jobs and see what we could do for your career.