Webmail flaw found

Israeli security researcher GreyMagic Software yesterday reported that it had found a vulnerability in how popular web-based email services Hotmail and Yahoo! Mail process HTML that could be exploited to steal usernames and password.

GreyMagic devised a method to inject such arbitrary (potentially malicious) content to a Yahoo or Hotmail email message, the organization said. The method is not limited to Hotmail and Yahoo alone though, it may apply to other web-based services.

The flaw seems to be an oversight in how incoming emails are stripped of potentially malicious HTML content when combined with some non-standard HTML functions built into the Internet Explorer browser.

GrayMagic said it demonstrated how an HTML email could be designed that could give access to login names and passwords, emails, files, and other confidential data. The vulnerability could allow browser vulnerabilities to be exploited via email, it said.

GrayMagic said Microsoft Corp and Yahoo! Inc were informed about the problems March 11. Microsoft fixed it in a couple of days. Yahoo did not respond, but now reportedly says a fix will be in place shortly.

This article is based on material originally published by ComputerWire

Sign up for our weekly news round-up!

Sign up to the newsletter: In Brief

Sign up for our regular news round-up!

Sign up for our weekly news round-up!

Sign up to the newsletter: In Brief

I would also like to subscribe to:

Thank you for subscribing