Trend Micro has revealed the existence of a proof-of-concept (PoC), cross-site scripting (XSS) code that affects Yahoo! Mail.
From their blog:
Here’s how the exploit works. The first component (which is written in Perl) is installed on a web server. This code is supposed to execute whenever a user visits a web page that is hosted on that server. The path of the CGI script on the web server is then parsed by the second component and appends a Yahoo URL string to it. An entirely new URL is generated. This URL can be sent to an unsuspecting user through an innocent-looking email or YM message. When the user clicks on the URL, his Yahoo account becomes compromised.
The Trend Micro Virus Encyclopedia entry for EXPL_YAHOXSS.A is more descriptive:
The link to the Web site where this code is hosted may arrive embedded in spammed email messages. The said link may appear as the following:
http://search.yahoo.com/web/advanced?ei=UTF-8&p=%22%3E….
The said link tricks the user into thinking that it is related to Yahoo! search results.
Once clicked, it connects to a Web site with an embedded Perl script. The said script, which automatically runs when accessed, steals cookies related to the affected user’s Yahoo! Mail account. This allows a remote malicious user to take control of an active Yahoo! Mail session while the affected user is logged in.
If you notice your browser’s address bar when viewing Yahoo! Mail, it has a lot of seemingly-random strings of text. XSS is dangerous because if a target Web site doesn’t validate a URL, anything can happen, depending on the script used by that Web site. This problem had manifested in LiveJournal (which led to change in user URLs, from www.livejournal.com/users/user_name to user-name.livejournal.com) and MySpace.
While this problem is just a proof of concept, the fact that the PoC exists proves that it can be done. All it takes is a very good programmer to get the PoC code, tinker with it, and release it in the wild.
Again, be careful when handling links/URLs being sent to you via email or IM, even if they come from trusted sources (remember SOHANAD?).