Yahoo Local Launches in India – Easily Hackable

Yahoo has launched their local search into India this week into four major cities: Delhi, Mumbai, Bangalore and Chennai. The local search in India works very much like the local search in the U.S.  To be honest, I don’t use Yahoo Local – I’ve been more of a Yelp’er or lately also searching via address using Google Maps. Though playing with Yahoo Local this morning, it’s pretty robust. I like how it aggregates reviews from across the Web in addition to those from Yahoo Local, offers an interactive map and a variety of alternative suggestions for other topics in the location I am in. I don’t see anything very innovative, the information is just presented in a very usable format.

On a more serious note, It appears that Yahoo Local India is easily hackable by injecting script code into a review and you can do basically anything from that point. Sridhar was able to create an iframe with Google in the body (see the screenshot below). He also notes that anything way more malicious could also be injected.

I tested this hack on the U.S. version of Yahoo Local and was unable to reproduce the security issue. When I entered any script code and clicked submit, the system removed the code within the script tags and prompted me to add more content.

I have submitted a ticket to Yahoo to get them to fix this.