[ISN] Yahoo developer feature can be used to steal user data

From: InfoSec News <alerts_at_private>
Date: Tue, 4 Dec 2012 04:49:59 -0600 (CST)

By Lucian Constantin
04 December 2012

Attackers can read emails, contacts and other private data from the 
accounts of Yahoo users who visit a malicious page by abusing a feature 
present on Yahoo's Developer Network website, according to an 
independent security researcher.

A limited version of the attack was presented on Sunday at the DefCamp 
security conference in Bucharest, Romania, by a Romanian Web application 
bug hunter named Sergiu Dragos Bogdan.

In his presentation, the researcher showed how the Web-based YQL (Yahoo 
Query Language) console, available on the developer.yahoo.com website, 
can be abused by attackers to execute YQL commands on behalf of 
authenticated Yahoo users who visit malicious websites.

YQL is a programming language similar to SQL (Structured Query Language) 
that was created by Yahoo. It can be used to query, filter and combine 
data stored in databases.


Visit the InfoSec News Security Bookstore
Best Selling Security Books and More!
Received on Tue Dec 04 2012 - 02:49:59 PST

This archive was generated by hypermail 2.2.0 : Tue Dec 04 2012 - 02:52:12 PST