Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Chrome

hairyfeet's Journal: XSS or something worse? 1

Journal by hairyfeet

I have a customer that surfs those "porntube" style sites and I kept getting emails from him consisting of a single link, obviously randomly generated. Now since I had just cleaned this machine and knew it to be good I asked "WTH?" and he swore up and down that the ONLY thing he had done was watch some videos on those porntube sites. So I figured he was probably lying, so I figured "I've just made a disc image, have AV and NoScript, lets experiement". So I went to several porntube style sites, DrTuber,XHamster, etc, just clicking links to bounce from one to the other when sure enough about an hour later I started getting emails from myself along with everyone in my address book!

Now since it was the yahoo account that I only use as a spam dump I didn't care about that, what I DID care about is it looks like every. single. person. that looks at any of the porntube sites is vulnerable to having their Yahoo addresses stolen! I tried Chromium and FF 4, I tried with NoScript enabled, no matter what I did after surfing those sites for an hour or less, even after using CCleaner first to make sure there wasn't any info in the cache, there it was.

Now all I can tell you is that it doesn't seem to affect GMail or Live Mail, just Yahoo, but with Yahoo Mail it seems to be pretty damned consistent no matter what the user does! So has anyone else run into this, know how it works, or know how to stop it? I wish I could tell you the exact site but I was looking for the effect more than the cause, but if you start at DrTuber and XHamster and start clicking on video links leading to affiliates you WILL end up seeing it first hand, just don't use a Yahoo account you care about! Although since I saw the effect WITHOUT logging into Yahoo and WITH private browsing on who knows if you'll be able to stop it? I'm starting to wonder if the new yahoo beta isn't storing your address book unencrypted in the browser somewhere for speed. If it is the case we are talking a serious security flaw here folks!

This discussion has been archived. No new comments can be posted.

XSS or something worse?

Comments Filter:
  • Fire it up, start browsing, and watch for references to Yahoo. That will identify the page it's being called from and you shold be able to isolate the offending code.

Our business is run on trust. We trust you will pay in advance.

Working...