Yahoo developer feature can be used to steal user data

http://news.techworld.com/security/3414565/yahoo-developer-feature-can-be-used-steal-user-data/

By Lucian Constantin Techworld.com 04 December 2012

Attackers can read emails, contacts and other private data from the accounts of Yahoo users who visit a malicious page by abusing a feature present on Yahoo’s Developer Network website, according to an independent security researcher.

A limited version of the attack was presented on Sunday at the DefCamp security conference in Bucharest, Romania, by a Romanian Web application bug hunter named Sergiu Dragos Bogdan.

In his presentation, the researcher showed how the Web-based YQL (Yahoo Query Language) console, available on the developer.yahoo.com website, can be abused by attackers to execute YQL commands on behalf of authenticated Yahoo users who visit malicious websites.

YQL is a programming language similar to SQL (Structured Query Language) that was created by Yahoo. It can be used to query, filter and combine data stored in databases.

[…]

______________________________________________ Visit the InfoSec News Security Bookstore Best Selling Security Books and More! http://www.shopinfosecnews.org




Facebooktwittergoogle_plusredditpinterestlinkedinmail