Incident Response, TDR, Vulnerability Management

Yahoo Toolbar triggers XSS in Google, other popular services, researcher finds

An independent researcher, who last month discovered a cross-site scripting (XSS) flaw impacting the comments sections of most Yahoo websites, recently uncovered a similar vulnerability – this time made possible because of Yahoo Toolbar.

The issue was fixed on May 30, but previously, using Yahoo Toolbar would cause XSS to trigger on most, if not all, websites, Behrouz Sadeghipour wrote in a Tuesday post. Sadeghipour tested it out on Yahoo, Flickr, Google, YouTube, Twitter, Pinterest and Amazon and was successful every time.

Prior to the fix, anyone using Yahoo Toolbar could have their accounts hijacked if they visited one of the aforementioned websites and it contained an XSS vector, Sadeghipour said.

To mitigate the issue, Sadeghipour suggested updating Yahoo Toolbar to the latest version, or removing it altogether.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.