Yahoo! Fixes XSS Exploit Used to Hijack Yahoo! Mail Accounts

Yahoo! MailAn unknown number of Yahoo Mail users found their accounts compromised yesterday, thanks to a document object model-based cross-site scripting vulnerability that was discovered by a security researcher by the name of Shahin Ramezany.

Ramezany posted a video on YouTube demonstrating the XSS vulnerability, which only takes minutes to execute and affects all current browsers, on January 6th. According to the video, a Yahoo! Mail user can fall victim to the exploit by simply clicking on a malicious link sent to them via email, putting an estimated 400 million accounts at risk of being taken over.

Users that were affected by the exploit took to Twitter to complain and warn anyone that received an email from them not to click any embedded links.

Thankfully Yahoo! stepped in to close the security hole yesterday evening, issuing the following statement to The Next Web in the process:

“At Yahoo! we take security very seriously and invest heavily in measures to protect our users and their data. We were recently informed of an online video that demonstrated a vulnerability. We confirm that the vulnerability has been fixed. In addition, we are investigating recent reports of increased abusive traffic and will work diligently to fix any vulnerabilities that are found. Concerned users are encouraged to change their passwords to a safe password that combines letters, numbers, and symbols.”

Lesson to be learned here? Exercise caution when following links, even when they are sent by a friend – you never know what hides behind it!

Update: Researchers say Yahoo! Mail exploit still active, despite claim of being fixed

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+

This entry was posted in Computer Security, internet scam, phishing, scam, social engineering, spam and tagged , , , .
Follow any comments here with the RSS feed for this post. Trackbacks are closed, but you can post a comment.
  • http://profile.yahoo.com/CFI7FLG356FMMZVK2AMORJXDKQ XSS

    The yahoo XSS xulnerability is NOT patched well. The vulnerability still prevails - http://www.offensive-security.com/offsec/yahoo-dom-xss-0day-prevails/

© 2014 Hyphenet, Inc.
1761 Hotel Circle S, Suite 350, San Diego, CA 92108

All rights reserved. Reproduction in whole or in part in any form or medium without express written permission is prohibited.

Hyphenet IT Security Blog located at 1761 Hotel Circle South, Suite 350 , San Diego, CA . Reviewed by 91 customers rated: 3.8 / 5