Cenzic Identifies JavaScript Vulnerability in Yahoo! Mail

JavaScriptSearch
Monday, August 14, 2006; 02:35 AM

Cenzic, Inc.  announced that researchers in the company's CIA (Cenzic Intelligent Analysis) Lab have discovered a new JavaScript vulnerability that could lead to the exploit of the widely popular Yahoo! Mail application.

According to Cenzic analysts, users who access Yahoo! Mail and then log out can be unknowingly left susceptible to malicious activities. After a user session, the flaw can be exploited by a hacker who turns off the JavaScript running on the computer, gaining access to email pages from the browser's cache. The Yahoo! Mail team was immediately notified . Cenzic said that due to varying browser behaviors and other considerations,  a resolution could take several weeks to appear.

CIA specializes in the continuous research of application vulnerabilities and the development of remediation strategies to assist customers with their web application security needs in enterprise environments. Since discovering the hole, Cenzic's research professionals have worked with the Yahoo! Mail team to provide counsel and support in addressing the issue.

Using a proprietary formula for calculating the severity of vulnerability information, Cenzic deemed this a threat worth recognition not only due to the technical aspects inherent to the threat, but also because of the popularity and mainstream adoption of the Yahoo! Mail program.

"Cenzic prides itself on taking immediate steps to ensure that consumers and users of our flagship Hailstorm product are proactively alerted about serious security vulnerabilities that are discovered and analyzed by our labs," said Ambarish Malpini, CTO of Cenzic. "This potentially harmful JavaScript attack is a real world problem which, if unreported, could expose Yahoo! Mail users to a range of security and privacy issues. Yahoo! acted quickly to reply to our report and is now taking the appropriate steps to fix the security threats."