Yahoo offers a web browser toolbar which includes apps for leading sites like Facebook, Yahoo! Mail, Weather and News. Yahoo Toolbar also known as Y! Toolbar is available for Internet Explorer, Firefox and Google Chrome web browsers.
Yahoo Toolbar is one of the most popular and widely installed web browser add-on/extension. Many popular softwares like Java Update and thousands of free software including some Antivirus products promote Yahoo toolbar and bundled it into their installer files.
A vulnerability has been reported in Yahoo Toolbar by Security Researcher Behrouz SAdeghipour, which causes cross site scripting flaw on popular websites like Flickr, Yahoo, Google, Pinterest, Youtube, Amazon, Twitter and many more.
Yahoo Toolbar vulnerability triggers all previous non-exploitable XSS payloads on popular websites as shown below in multiple screenshots provided by Behrouz to The Hacker News.
The vulnerability resides in the way Toolbar intercept and modifies the website pages in the browser to deliver additional content.
Yahoo Toolbar also has built-in algorithms to prevent pop-ups and spyware, but now its own flaw could be used to redirect, infect or cookie stealing using Cross Site Scripting attacks.
"Any one using Y! Toolbar could simply get their Yahoo, Google, Youtube, and other services hijacked by visiting any of those websites containing an XSS vector. Since these are highly reputable websites, it makes it easier for attackers to hijack accounts due to the fact that reputation and websites that contains a malicious code designed for an attack." Behrouz said.
Behrouz SAdeghipour told us that he has already reported the flaw to Yahoo Security team and they have recently patched it in new version.