An independent researcher, who last month discovered a cross-site scripting (XSS) flaw impacting the comments sections of most Yahoo websites, recently uncovered a similar vulnerability – this time made possible because of Yahoo Toolbar.
The issue was fixed on May 30, but previously, using Yahoo Toolbar would cause XSS to trigger on most, if not all, websites, Behrouz Sadeghipour wrote in a Tuesday post. Sadeghipour tested it out on Yahoo, Flickr, Google, YouTube, Twitter, Pinterest and Amazon and was successful every time.
Prior to the fix, anyone using Yahoo Toolbar could have their accounts hijacked if they visited one of the aforementioned websites and it contained an XSS vector, Sadeghipour said.
To mitigate the issue, Sadeghipour suggested updating Yahoo Toolbar to the latest version, or removing it altogether.