I just received an email with an html attachment, on a yahoo account. When I opened the mail, yahoo automatically displayed the html, and executed the code within. What the hell. =) It forwarded the message to my contacts list, (or some other set of addresses, dunno,) and redirected my browser to a website.
XSS-based worm spreading through Yahoo's web mail. Looking an an email message causes the XSS to run. The XSS uses AJAX to make an HTTP POST to the URL on YAhoo for sending mail. The worm does this to send email containing the worm to everyone in your address book and sends your address book to a 3rd party. Probably to sell your email address to spammers. This is a great example of XSS+AJAX=BAD! Even if Yahoo mail doesn't use AJAX, the XSS can use AJAX to make requests for you using your credentials. XSS worm spreading through Yahoo webmail |