Yahoo Mail was open to hacker attacks due to a file size bug. ZDNet reports that a flaw in the Yahoo Mail system could have let attackers control victims’ Yahoo accounts
Yahoo has fixed a bug in its Yahoo Mail email system that would have allowed attackers to seize control of users’ email accounts. This bug enabled attackers to take control of a user’s account by simply sending them a specially crafted email.
The security flaw, according to eEye Digital Security’s Drew Copley:
Allowed attackers to by-pass the Web-mail system’s Javascript filters. Any message exceeding approximately 100kb in length would not be analysed by the filter, which is meant to strip messages of any potentially malicious Javascript.
“A remarkable note about this bug is that no one seems to have found it before,” Copley’s advisory reads. “As far as anyone knows.”
Technical Description:
———–EXAMPLE EMAIL———
SCRIPT
[->a bunch of chars here [spaces are most stealth], the whole file size will be just about 100KB]
[this causes the filter to not work… the code is then run automatically]
———————————
The pseudo-diagram above explains the scenario rather well. For whatever reason, Yahoo’s email filter simply does not work on files which exceed a certain range. This kind of software issue is relatively common. A remarkable note about this bug is that no one seems to have found it before.
Yahoo has fixed the Yahoo Mail bug.
Comments
44 responses so far ↓
catherine on Apr 22, 2004 at 10:31 pm
yesterday aboutblank ,a virus,got thru all 5 of my filters.was this related to the yahoo mail incident?users beware of aboutblank it is a terrible virus i have first hand knowledge!i am now a aboutblank survivor!
Ann on May 3, 2004 at 6:05 pm
Wish they had fixed it before my account was hacked by some jerks in Canada. I was blackmailed for $275 to return the account to me. YAHOO WOULD NOT RESPOND TO MY PLEAS FOR HELP. Instead the hacker knows that yahoo doesn’t respond and in a few hours they themselves respond representing themselves as an arm of yahoo to help me out. Referring me to a company who could recover my account. They of course were the hackers. I did get it back with a threat that the link had been traced and police should be arriving any moment.
BOOOOOO ON YAHOOOOOOOOO
jan jan on May 25, 2004 at 9:17 pm
my yahoo mail
khan9559@yahoo.com
is not opening. it gives again and again the message of INVALID PASSWORD. Although i type the right password and also I have not change the password.
please help me how can i open my yahoo mail.
regards
jan
Amy on May 30, 2004 at 12:03 pm
My yahoo mailbox got wiped out this morning I thought this was fixed?????
Diana on Jun 16, 2004 at 8:01 am
Since the new Yahoo Mail was implemented yesterday, I find I cannot really use the account at all. I can log in and view emails, but cannot delete an email, cannot send or reply, and cannot move an email from one box to another. My other email accounts are working fine. Is anyone else having this problem? Or know how to fix it? I have made no recent changes in my internet options or settings. Yahoo does not respond to my help messages.
adedeji bakare on Jun 17, 2004 at 10:26 am
i forge my password
MIke on Jun 17, 2004 at 2:47 pm
I CAN NOT DELETE ANY MAIL OUT OF MAIL BOX.
irina berdichevsky on Jun 20, 2004 at 4:22 pm
I am not able to read my mail from my computer and able to do it from another.
stacey on Jun 20, 2004 at 9:29 pm
I cannot log in to my yahoo mail! I enter my username and password and then it “thinks” for a really long time and finally gives me the “cannot locate server” page — is there something wrong with my email? Or is there something wrong with yahoo? I haven’t been able to find a way to contact yahoo so I was hoping someone here could help! Thanks!
wq on Jun 21, 2004 at 10:48 pm
I have a similar problem here with Yahoo. “Invalid password” always. However, sporadically, I can log in once only from my home computer.
I am more inclined to think this is a major screw-up at Yahoo during Yahoo!Mail upgrade.
mavis on Jul 14, 2004 at 1:16 am
Yahoo is seriously malfunctioning. I, too, am unable to send or delete any mail. If there is anyone out there who knows how to fix this problem please leave a message explaining how to correct the problem.
Dave on Jul 25, 2004 at 7:55 am
I cannot log in no either. Cannot get my Yahoo ID to work. Yahoo mail gives invalid password. Just need to get in long enough to get messages, addresses and sh**can the account and go back to hotmail
osas on Aug 6, 2004 at 9:01 am
i want to know the hacknig password cos i need it to open a box wi forgot the password pls i need it urgently , i guess u can help by sending the password tomorrow to my email add.
thanks alot
faim on Aug 17, 2004 at 6:49 am
hacking
JOSEPH LUUBE on Aug 25, 2004 at 12:32 pm
thanks
JOSEPH LUUBE on Aug 25, 2004 at 12:35 pm
iam pleased to be on internet.
shiva krishna on Nov 1, 2004 at 10:15 am
I am unable to check my yahoo mail. After I type in the login address and the password, the browser takes me to aboutblank
John David on Nov 2, 2004 at 12:54 am
My Account, yahoo ID is ( deaconblooze2000 ) Why am I not able to use My yahoo ID and/or Read My e-mail? ( I’m not able to do anything ). I have had to start a NEW Yahoo Account. At ( www.coldshot_07@yahoo.com ) Will You Help Me? I need the information in that account, email addresses etc.
Scooby729 on Dec 1, 2004 at 3:17 am
My Yahoo account was just jacked and cusomer service just sends me form letters is ther anyway to find out who or get back into your own account????
online poker on Jan 14, 2005 at 10:41 am
Great Design and useful information. I will be back soon!
online poker on Jan 15, 2005 at 11:00 pm
Hi everyone A big thank you for this wonderful site, it has helped me immensely
Col Randheer Singh on Jan 28, 2005 at 8:38 am
I am unable to open yahoo mail .Some times it opens and mostof the time it does not open
Col Randheer Singh on Jan 28, 2005 at 8:42 am
Yahoo mail opens with great dfficulties. Some tiomes it does not open
Roja on Feb 23, 2005 at 9:30 pm
i am unable to open my yahoo id (roja_sud@yahoo.com), though able to open yahoo messenger & yahoo photos with my id.
As i enter my id & password, its giving ” CANNOT FIND SERVER” message. Or if i open yahoomail from messenger, its going to the page where it asks the profile information. i am able to open other yahoo ids from the same computer but unable to open roja_sud id.
i did not find answers for this in Help Tips. Please do help me.
hemant on Mar 19, 2005 at 8:35 pm
I want to change my password pls give me reply soon i m in diffciulty
praveen on May 7, 2006 at 1:36 am
i entered my id and password correctly but it showing cannot find server
noman on Dec 6, 2006 at 2:01 am
hi! i could not be able to open my mails. please solve my problem.
Dorothy on Nov 27, 2007 at 10:06 am
I can’t open my e-mail on either of my sites, the sites open, but i can’t open anything or delete anything. HELP!!!!!!!!!!!!!!!
lokesh on Dec 7, 2007 at 2:04 am
hello,
I’m unable to open my yahoo account “mca_yadav_lokesh@yahoo.co.in”, by entering right mailID and password (shows message” Invalid Id or Password”), same condition in my yahoo messenger also.
plz help me
thom johnson on Dec 12, 2007 at 12:37 pm
Yahoo Mail Still Not Fixed!!!!!!!
My wife’s email account was just hijacked at Yahoo. they changed her password and sent out scam mail to her address book. I hate to say it, but Yahoo needs a wake-up call. We use our email for everything from on-line shopping to liquidation buy-outs. I would hate to have to take legal action, but Hey, that might be what it will take.
I have been using Yahoo since ‘97 and have been a firm believer in their security. Was I Wrong??
Very Violated
abhay on Dec 31, 2007 at 10:58 am
is not opening. it gives again and again the message of INVALID PASSWORD. Although i type the right password and also I have not change the password.
please help me how can i open my yahoo mail
rita on Jan 6, 2008 at 11:36 pm
Same problem as abhay, I continually get the message of INVALID PASSWORD on every yahoo account I have. This stinks.
kalyan on Mar 6, 2008 at 3:14 pm
• my yahoo mail
mirthu_1@yahoo.co.in
• is not opening. it gives again and again the message of INVALID PASSWORD. Although i type the right password and also I have not change the password.
please help me how can i open my yahoo mail.
regards
kalyan
rajeshh_jain on Apr 14, 2008 at 2:49 pm
not able to open my account
vishal on Apr 14, 2008 at 8:34 pm
not able to open my account
ramy on May 26, 2008 at 11:36 am
am enterin correct id n password but its givin invalid n am nat able 2 open my mail. wat 2 du ..plzz help..its URGENT
chen on Jun 5, 2008 at 11:50 am
Maybe this site is not for responding back because I see no answer to what the problems habe been raised???
sunny on Jun 18, 2008 at 5:02 am
my yahoo id is not open ..plz open my account any send me my new password my new mailid
b.heart65@yahoo.com
MAyur on Jul 16, 2008 at 10:15 pm
hiii
in some system my mail id is opening but in some system it is not opening .it will not gve any error message but again comes to login option please help me friends .i have checked all blocking options in those system but all are correct.
adil sharif roman on Aug 15, 2008 at 8:34 pm
that web is not opening try to help it out
KHADER on Aug 27, 2008 at 6:18 am
when i open the inbox it shing “the page cannot be display”
N Dhanuka on Sep 27, 2008 at 7:41 am
unable to open my yahoo email accound - both ndcalcutta@yahoo.com & ndindia1@yahoo.com. reason showing is invalid email id or password. but in the morning i had opened and checked both of my accounts
don on Nov 19, 2008 at 12:54 am
hiiii
do or die
shajeeh on Nov 19, 2008 at 1:02 am
hijacking
Leave a Comment