While we think of most vulnerabilities as relating to software we run on our individual machines, there's still a huge world out there of web applications that are open to scrutiny. Recently, Yahoo has fixed
a bug in their own websites that could potentially reveal any Yahoo user's account to a malicious third party. Rather than being browser or platform specific, it was an issue with Yahoo's own systems, as the article brings out:
Researchers say it would have been trivial to exploit the vulnerability because it worked across multiple browsers and required only that a victim click on an innocuous-looking link embedded in an email.
Exploiting the flaw would give an attacker access to the person's Yahoo mail account or pilfer other information from other services like Yahoo maps. The flaw is a Cross-site scripting (XSS) attack, which is used more and more often to steal data, especially as more companies rely on many conglomerate pages that use client side scripts.
No users have to change anything or patch anything, as of course site scripting is entirely due to the coding on the remote web server. How many people were compromised by this flaw, if any, Yahoo
has not mentioned.