Lycos Free Email Cross-Site Scripting Vulnerability

Lycos’s Free Email service “allows users to have their own web based email account very much like Hotmail”. A cross site scripting vulnerability in Lycos’s Free Email service allows an attacker to steal a user’s cookie allowing him full access to his Lycos email account. Further, due to a flaw in the way Lycos handles cookies, even if the user being attacked changes his password, the attacker can still gain access to his account as the cookie will remain valid

Proof of Concept was provided.


Leave a Reply