An unknown number of Yahoo Mail users found their accounts compromised yesterday, thanks to a document object model-based cross-site scripting vulnerability that was discovered by a security researcher by the name of Shahin Ramezany.
Ramezany posted a video on YouTube demonstrating the XSS vulnerability, which only takes minutes to execute and affects all current browsers, on January 6th. According to the video, a Yahoo! Mail user can fall victim to the exploit by simply clicking on a malicious link sent to them via email, putting an estimated 400 million accounts at risk of being taken over.
Users that were affected by the exploit took to Twitter to complain and warn anyone that received an email from them not to click any embedded links.
Thankfully Yahoo! stepped in to close the security hole yesterday evening, issuing the following statement to The Next Web in the process:
“At Yahoo! we take security very seriously and invest heavily in measures to protect our users and their data. We were recently informed of an online video that demonstrated a vulnerability. We confirm that the vulnerability has been fixed. In addition, we are investigating recent reports of increased abusive traffic and will work diligently to fix any vulnerabilities that are found. Concerned users are encouraged to change their passwords to a safe password that combines letters, numbers, and symbols.”
Lesson to be learned here? Exercise caution when following links, even when they are sent by a friend – you never know what hides behind it!