Reliable Answers - News and Commentary

Yahoo! Privacy Violation!


Online Privacy | Microsoft Registry profile | Yahoo! ID exploit (*)

Yahoo! has fixed the problem.

This page hosted a demonstration script which accessed a *publicly available* link on Yahoo's domain which displayed your YahooID.

Big deal you say? Any website, such as this one, would be capable of embedding that link within the code in order to reap the contents - and discover your identity from the information obtained.

If you'd like to test it yourself you can download the file linked below. If it has your YahooID within it then - obviously - it's not fixed.

This page used script to read a text input box embedded on a hidden DIV element that references the script outlined below. There are, of course other means to accomplish what it does. This is only a simple example. In order for this to work *in this scenario* you must have javascript enabled in your browser, and it must be a 4+ version. However, that is ONLY for this sample. It is entirely possible to collect your YahooID without resorting to script, even though the contents of the file referenced on yahoo are designed to be used as script. It is possible to use a secondary or inline frame and set the source reference of it to the same URL and that can be easily parsed to return the correct information. 2001/03/16 Update!

This information was obtained by reading the contents of a URL used in a large number of YahooGroups message advertisements. Here's the URL: http://smartbanner.san.yahoo.com/cgi-bin/sbanner.js


Take me to the top

2001/03/16 Update!:
I received notice that they've taken "appropriate measures to address [my] concerns." Case closed. <g>


Take me to the top

2001/03/15 Update:
About 36 hours after receiving the response from TRUSTe, each time I visited this page the script has failed. This is not a problem with my code, but it might have been fixed on Yahoo!'s end. If so, they have not had the consideration of contacting me to let me know it has been resolved (In all my correspondence on this subject so far I have asked to be notified if it this threat to privacy had been resolved). On the other hand, they may have just filtered this domain and IP from the acceptable referrer list - which means that though I cannot exploit your YahooID on *this* site, it may be possible on other sites. If they ever tell me, I'll post it here. And, of course, I'll continue to update this site as information is made available.


Take me to the top

2001/03/12 Update:
I've contacted Yahoo! about this situation twice (2001/03/06 and 2001/03/10). The second time, because Yahoo! had not responded to either notice, I also contacted TRUSTe. 2001/03/12 I received a response from a representative at TRUSTe that is looking into the issue. So much for Yahoo! being capable of policing itself. I'll update this site as information is made available.


Take me to the top

A special thanks to my lovely wife Annette for discovering this issue.

Carschooling by Diane Flynn Keith
Carschooling

Take me to the top

We invite you
to visit:

Professional Web Hosting and Design Services: 12 Point Design Local Homeschool provides the most up-to-date support group listings in a geographical and searchable index Budget Homeschool Kidjacked -- To seize control of a child, by use of force SaferPC dispels security misunderstandings and provides you with a solid understanding of viruses and computer security Reliable Answers - developer information, current news, human interest and legislative news Twain Harte Times - Twain Harte, CA - The closest you can get to Heaven on Earth Cranial Laser & Neurolymphatic Release Techniques (CLNRT) - Experience dramatic pain reduction At Summit Chiropractic our mission is to improve your quality of life - We know that health is much more than just not feeling pain Visit UniveralPreschool.com to learn about your preschool options.
Reliable Answers.com/privacy/yahoo.asp
Google