Paid Advertising
web application security lab

Multiple Yahoo XSS vulnerabilities

Rajesh Sethumadhavan just published a number of XSS and other vulnerabilities in Yahoo. Unfortunately, none of these are useful to launch other attacks against Yahoo’s Ajax infrastruture the way they are built. The ones that use yimg (click here for an example in IE and then click on the banner once it loads). The problem is that yimg is not on the same domain as

For AJAX to work (at least these particular attacks that I have in mind) the domain has to be the same, so finding an XSS in proper is far more useful to launch these types of attacks.  The ones against Yahoo mail don’t seem to be remotely exploitable from what I can tell (like the yimg one above) but those would be ideal.  But regardless, Rajesh did a great job finding them!

5 Responses to “Multiple Yahoo XSS vulnerabilities”

  1. backbone Says:

    to “steal” the password from a yahoo user you could use the table xss exploit… found in february as i remember corectly… which wasn’t fixed because yahoo sad it isnt’ a yahoo vulnerability, just a browser parsing error… then through social engeeniring they will click it… and if lucky they will use IE, so with the address bar spoofing tehnique redirect them to a website which is a clone of yahoo…

    get a yahoo page clone from

  2. RSnake Says:

    Thanks, backbone, but neither of these will do the job… I need to actually introduce JavaScript (and actually an Ajaxy script at that) to take advantage of the issue. It can’t be in, but in particular. It’s a pretty specific issue, actually.

  3. Cheng Peng Su Says:

    Google this:
    inurl:swf clicktag

    and I find:;

  4. RSnake Says:

    That’s a very good example, Cheng, thank you. Unfortunately, because of the same origin policy it won’t work. Yahoo does a redirect from to It would have to be on exactly for this to work. But keep `em coming!

  5. dxe Says:

    A xss via yahoo…”>

    I had to use to actually execute this.

    The user must be logged in to view the page.

    my means of contact are via

    AimSN = Dxe