Cenzic Research Lab Identifies Potentially Threatening Application Vulnerability in Yahoo! Mail

Cenzic, Inc. today announced that researchers in the company's CIA (Cenzic Intelligent Analysis) Lab have discovered a new JavaScript vulnerability that could lead to the exploit of the widely popular Yahoo! Mail application.

According to Cenzic analysts, users who access Yahoo! Mail and then log out can be unknowingly left susceptible to malicious activities. After a user session, the flaw can be exploited by a hacker who turns off the JavaScript running on the computer, gaining access to email pages from the browser's cache. Once this vulnerability was discovered, the Yahoo! Mail team was immediately notified and is currently evaluating potential resolutions to the issue. Due to varying browser behaviors and other considerations, it is anticipated that a resolution could take several weeks to appear.

CIA specializes in the continuous research of application vulnerabilities and the development of remediation strategies to assist customers with their web application security needs in enterprise environments. Since discovering the hole, Cenzic's research professionals have worked with the Yahoo! Mail team to provide counsel and support in addressing the issue.

Using a proprietary formula for calculating the severity of vulnerability information, Cenzic deemed this a threat worth recognition not only due to the technical aspects inherent to the threat, but also because of the popularity and mainstream adoption of the Yahoo! Mail program.

"Cenzic prides itself on taking immediate steps to ensure that consumers and users of our flagship Hailstorm product are proactively alerted about serious security vulnerabilities that are discovered and analyzed by our labs," said Ambarish Malpini, CTO of Cenzic. "This potentially harmful JavaScript attack is a real world problem which, if unreported, could expose Yahoo! Mail users to a range of security and privacy issues. Yahoo! acted quickly to reply to our report and is now taking the appropriate steps to fix the security threats."

About Cenzic Intelligent Analysis (CIA) Research

The Cenzic Intelligent Analysis (CIA) team specializes in continuous research into application vulnerabilities and the latest tools and techniques used within the field of application security. The CIA team monitors the latest vulnerabilities and trends affecting application security by tracking Internet newsgroups, forums, mailing lists, and underground websites where vulnerability information is released. In addition to its research focus, CIA experts also perform vulnerability assessment, penetration testing, and security testing.

Cenzic has dedicated experts whose sole job is to perform ongoing research to not only analyze known vulnerabilities but also discover new or undisclosed vulnerabilities in custom, commercial, and open-source applications, and to make this information available to customers and to the community at large in the form of publications and security alerts. Cenzic Hailstorm is updated similar to anti-virus on a regular basis with new vulnerability information to give customers an advantage in staying ahead of new vulnerabilities.

About Cenzic

Cenzic is a leading provider of the next-generation enterprise software and a leading Managed Service offering for automated application security assessment and compliance that allows Fortune 1000 corporations, mid-sized corporations, and government organizations to dramatically improve the security of web applications. Cenzic® Hailstorm®, the most accurate and extensible product in the industry, enables security experts, QA professionals, and developers to work together to assess, analyze, and remediate applications for security vulnerabilities. Hailstorm benefits include reduced security risk and liability, lower development and testing costs, and faster time-to-market. Cenzic ClickToSecure(TM) service is one of the industry's first Software as a Service (SaaS) to combine the power of an enterprise-class application security assessment product with the flexibility of a managed security service. Cenzic Assessment Methodology completes the solution with a state-of-the-art business process consulting service to help customers improve their application security methodologies. Cenzic solutions are the most accurate, comprehensive, and extensible in the industry. Cenzic's current focus includes financial services, e-retail, healthcare, and government sectors. For more information, visit www.cenzic.com .

CONTACT: Jason Throckmorton Melissa Biles LaunchSquad 415-625-8555 Email Contact