Acidus wrote:
I just received an email with an html attachment, on a yahoo account.
When I opened the mail, yahoo automatically displayed the html, and executed
the code within. What the hell. =) It forwarded the message to my contacts
list, (or some other set of addresses, dunno,) and redirected my browser to
a website.
XSS-based worm spreading through Yahoo's web mail. Looking an an email message causes the XSS to run. The XSS uses AJAX to make an HTTP POST to the URL on YAhoo for sending mail. The worm does this to send email containing the worm to everyone in your address book and sends your address book to a 3rd party. Probably to sell your email address to spammers.
This is a great example of XSS+AJAX=BAD! Even if Yahoo mail doesn't use AJAX, the XSS can use AJAX to make requests for you using your credentials.
on my yahoo account i've clicked "Block HTML graphics in email messages from being downloaded" but there's no option for turning off HTML completely
sorry for the idiotic question but will that help
