News: Answers.com Signs Colo Deal with C7 Data Centers
News: NTT Com Boosts Japan-US Backbone Speed to 300Gbps
News: Bick Group Buys Blue Mountain Labs, Expands Cloud Computing Services
News: Pinnacle Cart to Debut PA DSS Compliant Release Next Week
News: Inside CloudLinux's New Linux-Based Cloud OS
By Justin Lee, theWHIR.com
June 25, 2008 -- (WEB HOST INDUSTRY REVIEW) -- Search engine provider Yahoo! (yahoo.com) has patched a vulnerability that placed webmail users at risk of having their login information stolen, according to web application security firm Cenzic (cenzic.com).
The bug is a cross-site scripting flaw that left session IDs susceptible to theft during the interaction between Yahoo! mail and the Yahoo! Messenger instant messaging client.
Researchers at Cenzic found the flaw in May, and collaborated with Yahoo! in fixing the problem. Yahoo! says it fixed the bug on June 13, which was soon followed by Cenzic posting a detailed advisory on the issue.
The advisory describes that the hacker would have first had to add the proposed victim as a "buddy" before launching the attack. This would have only worked if the Yahoo! mail user had set up the Messenger support.
Cenzic writes: "If the attacker is using the Yahoo! Messenger desktop application 8.1.0.209 to chat with the victim, and the victim is using the Messenger support in the new Yahoo! Mail Web application, it will cause a new chat tab to open in the victim's browser. While chatting, the attacker can change their status to "invisible" causing a message of "offline" in the chat tab of the victim.
"The vulnerability occurred when the attacker then changed status, and sent a custom message containing a malicious string in the form of a status message of "online", with the script executed in the context of Yahoo! Mail on the victim's machine. This allowed an attacker to get active access to the victim's session ID, and in turn steal their Yahoo! identity, exposing sensitive personal information stored in their Yahoo! account."
The full Ceznic advisory can be viewed here.
Another security flaw was found in May in rival webmail service Google Gmail, which could enable spammers to use the free mail service as an open relay server.
In another setback to Yahoo!'s Webmail service, the company recently dropped security and anti-spam enhancements to the service after discovering the features prevented users from retrieving POP email from their external accounts.
Read Back Issues of WHIR Magazine
October 2009 - Web Hosting's All Star Team
This has been, for us, one of the most interesting, exciting and challenging build-ups to an issue of the magazine yet, Web Hosting's All Star Team. The balloting process was our first experiment with a kind of user participation we're planning to do a lot more with in the months to come. We had thousands of ballots submitted, with hundreds of write-in suggestions and a demonstration of user engagement that has us feeling super positive about the project.
About This Issue | Read Digital Edition
July 2009 - What am I Worth?
One of the interesting luxuries of working on a project like the printed WHIR magazine is that it allows us to play with things like our point of view from one issue to the next. In recent months we've been giving added attention to the kind of practical and applicable advice aimed at smaller hosts and resellers. This issue carries on with that point of view, asking, in our cover story, "what am I worth?" It's a complicated question without a clear-cut answer.
About This Issue | Read Digital Edition
May 2009 - The Blueprint for a Small Web Host
I was a little surprised by how difficult it became to see this idea through. We set out to assemble a blueprint for a small hosting business, but butted up pretty quickly against the general impossibility of covering all the territory that was out there to be covered. The basic constraints of a printed magazine, and the less-than-infinite amount of time we had available forced us to face the fact that we could never produce an exhaustive guide to starting a hosting company.
About This Issue | Read Digital Edition
Comment anonymously or log into your WHIR account
Logging in allows enhanced commenting features (such as external linking) in news, features, blogs and more.