This week, security researchers have focused their attention on websites owned by Yahoo! and found that some of them contain serious vulnerabilities.
First, the security expert known as flexxpoint identified cross-site (XSS) scripting flaws on three different Yahoo subdomains.
“One of these subdomains have a very "strong" filter:<script> is blocked ...but no surprise <ScRipT> is allowed,” flexxpoint wrote on his blog.
One day later, Georgian security researcher Ucha Gobejishvili found an SQL Injection vulnerability on a “Yahoo Customers Website.”
According to Gobejishvili, the remotely exploitable security hole can be leveraged by an attacker to execute his own SLQ commands to compromise the site’s database management system and gain access to all the data.
The Georgian also posted proof of the fact that Yahoo representatives are already working on addressing the issues he discovered.
It’s uncertain if flexxpoint contacted Yahoo on this occasion, but he usually notifies the affected vendor when finding such serious vulnerabilities.
Note. My Twitter account has been erroneously suspended. While this is sorted out, you can contact me via my author profile or follow me at @EduardKovacs1