Acidus wrote:

I just received an email with an html attachment, on a yahoo account.

When I opened the mail, yahoo automatically displayed the html, and executed
the code within. What the hell. =) It forwarded the message to my contacts
list, (or some other set of addresses, dunno,) and redirected my browser to
a website.

XSS-based worm spreading through Yahoo's web mail. Looking an an email message causes the XSS to run. The XSS uses AJAX to make an HTTP POST to the URL on YAhoo for sending mail. The worm does this to send email containing the worm to everyone in your address book and sends your address book to a 3rd party. Probably to sell your email address to spammers.

This is a great example of XSS+AJAX=BAD! Even if Yahoo mail doesn't use AJAX, the XSS can use AJAX to make requests for you using your credentials.

on my yahoo account i've clicked "Block HTML graphics in email messages from being downloaded" but there's no option for turning off HTML completely
sorry for the idiotic question but will that help

adam wrote:

Acidus wrote:

I just received an email with an html attachment, on a yahoo account.

When I opened the mail, yahoo automatically displayed the html, and executed
the code within. What the hell. =) It forwarded the message to my contacts
list, (or some other set of addresses, dunno,) and redirected my browser to
a website.

XSS-based worm spreading through Yahoo's web mail. Looking an an email message causes the XSS to run. The XSS uses AJAX to make an HTTP POST to the URL on YAhoo for sending mail. The worm does this to send email containing the worm to everyone in your address book and sends your address book to a 3rd party. Probably to sell your email address to spammers.

This is a great example of XSS+AJAX=BAD! Even if Yahoo mail doesn't use AJAX, the XSS can use AJAX to make requests for you using your credentials.

on my yahoo account i've clicked "Block HTML graphics in email messages from being downloaded" but there's no option for turning off HTML completely
sorry for the idiotic question but will that help

That's actually a good question. If Yahoo never downloads the image, the onload event will never fire. However the a literally thousands of places in the HTML standard where JavaScript can execute. I could do a IMG tag with SRC="." (which is invalid) and have an ONERROR tag with JavaScript in it.

It really all depends on what Yahoo is filtering. The fact the forgot about IMG ONLOAD makes me think there are many more they forgot about to.