Quote:

Thank you for contacting us regarding this issue. Just send the
details to this address and we'll work to reproduce and fix the
issue. If you can focus on the XSS flaw with a simple proof of
concept (e.g., alert('xss')) that will make it easier to
reproduce. Also, if you can clarify if this is an issue in
Y!Mail Classic or Y!Mail Beta as well as the hostname where the
exploit worked (e.g., us.f123.mail.yahoo.com).

Quote:

I'm more than OK to do that. However before I send the PoC and you guys fix it, I need a condition to be confirmed. Once the hole is fully agreed by your side and fully fixed, an official acknowledgment must be made by Yahoo! on that, not anything drowned in silence. It's not fair for millions of Yahoo! users when they were always at high risk before but they didn't even know about that. Many of their accounts may have been compromised using this vulnerability before, and sensitive information may have been, and being, seriously stolen and used for evil stuff. An advice from Yahoo! for users to change their password should also be made.

Some more details on this hole for you guys to make decision: Although this is Yahoo! Mail's fault, you don't need the victims to open / click anything in Yahoo! Mail. What's dangerous is: Just embed a hidden iframe anywhere, on any web page and that is. Whenever a victim visit your site, and after that login to any Y! service, they lost cookie immediately without any notice. For ex.: I embed it to BBC website, and on a nice day you surf BCC for news, after that login to your Y! Mail to check stuff, then you're done. Thousands of accounts can be easily owned in just a few hours. That will happen under any version of IE. For all other browsers, cookie cannot be stolen. However instead hackers can do evil stuff at that moment (downloading your whole mail inbox and send to them...deleting all your blog entries...all depends on their imagination). Moreover, combining this with another weak point from Yahoo! 360 (will mention on this later on) can create a highly destructive BOTNET spreading out all over Yahoo! Community. Every victim after that will be come hackers' best assistant to help stealing cookie of their own friends.

I'm waiting for your agreement.

Quote:

like others said i think you`ll get more respect and 10x and maybe some rewards from us than the yahoo stuff

Quote:

Just an update. We have what we think is a fix deployed to
about one-third of our servers. We are receiving sporadic
reports that images are not being served correctly, likely as a
result of this change. We are working to understand the cause
and effect of that issue before finishing deployment to the
remainder of the servers. It is possible that this may require
additional code changes and a whole new push cycle, although
we're obviously hoping it does not. We'll let you know
more as we know more.

As always, please feel free to ask us any questions you
may have at any time.

Yahoo! Security Contact