Today, Information Security Researcher QuisterTow come with interesting vulnerability finding in one of Top Search Engine website, Yahoo.

There is a cross site scripting vulnerability resides in the hk.promotions.yahoo.com domain.  The vulnerability is click based xss .  When i click the flash, it will display the xss code.

Poc code:

http://hk.promotions.yahoo.com/wedding2010/home_banner.swf?clickTAG=javascript:alert(/ E Hacking News /);

The above finding is really interesting one.  Just load the url and click in the flash content and it results in the code being executed.

At the time of writing, the vulnerability is still there .