A cross-domain policy file is an XML document that grants a web client, such as Adobe Flash Player or Adobe Acrobat (though not necessarily limited to these), permission to handle data across domains. When clients request content hosted on a particular source domain and that content make requests directed towards a domain other than its own, the remote domain needs to host a cross-domain policy file that grants access to the source domain, allowing the client to continue the transaction.





Its going to be a years that Yahoo had announced its bug bounty programs, and the bounty programs had really helped the firm/organisation and the researcher too. Regarding the security scope Yahoo always gives prior importance, and also to its users privacy. Recently Yahoo had announcedto its mail service (Ymail), added SSL by default and also implements encryption between data centers.A Canadian security researcher,had found avulnerability on Yahoo mail service. The loose Cross Domain Policy was for the flash request on Yahoo mail that puts Yahoo mail service under threats. By exploiting the vulnerability attacker can read the victims mails, read contacts, overall can have a full control on the account.As Milne says, Yahoo patched one issue related to a specific .swf file hosted on Yahoo’s content delivery network that contained a vulnerability that could give an attacker complete control over Yahoo Mail accounts cross origin. As the specific issue has been fixed by Yahoo team, but Milne thinks that there might be more vulnerability still exits.On the blog post Milne had explained all the technical details about the bug, and says hacker could host a malicious .swf and entice the user via a phishing email or watering hole attack to visit the site in order to trigger the exploit.,” Milne said.For reporting the vulnerability, Yahoo team awarded him a reward of $2,500 USD as part of their bounty program.