Yahoo! has fixed the problem.
This page hosted a demonstration script which accessed a *publicly available* link on Yahoo's domain which displayed your YahooID.
Big deal you say? Any website, such as this one, would be capable of embedding that link within the code in order to reap the contents - and discover your identity from the information obtained.
If you'd like to test it yourself you can download the file linked below. If it has your YahooID within it then - obviously - it's not fixed.
This page used script to read a text input box embedded on a hidden DIV element that references the script outlined below. There are, of course other means to accomplish what it does. This is only a simple example. In order for this to work *in this scenario* you must have javascript enabled in your browser, and it must be a 4+ version. However, that is ONLY for this sample. It is entirely possible to collect your YahooID without resorting to script, even though the contents of the file referenced on yahoo are designed to be used as script. It is possible to use a secondary or inline frame and set the source reference of it to the same URL and that can be easily parsed to return the correct information. 2001/03/16 Update!
This information was obtained by reading the contents of a URL used in a large number of YahooGroups message advertisements. Here's the URL: http://smartbanner.san.yahoo.com/cgi-bin/sbanner.js
2001/03/16 Update!:
I received notice that they've taken "appropriate measures to address [my] concerns." Case closed. <g>
2001/03/15 Update:
About 36 hours after receiving the response from TRUSTe, each time I visited this page the script has
failed. This is not a problem with my code, but it might have been fixed on Yahoo!'s end. If so, they
have not had the consideration of contacting me to let me know it has been resolved (In all my
correspondence on this subject so far I have asked to be notified if it this threat to privacy had
been resolved). On the other hand, they may have just filtered this domain and IP from the acceptable
referrer list - which means that though I cannot exploit your YahooID on *this* site, it may be
possible on other sites. If they ever tell me, I'll post it here. And, of course, I'll continue to
update this site as information is made available.
2001/03/12 Update:
I've contacted Yahoo! about this situation twice (2001/03/06 and 2001/03/10). The second time, because
Yahoo! had not responded to either notice, I also contacted TRUSTe. 2001/03/12 I received a response
from a representative at TRUSTe that is looking into the issue. So much for Yahoo! being capable of
policing itself. I'll update this site as information is made available.
A special thanks to my lovely wife Annette for discovering this issue.