Yahoo patches XSS flaw affecting mail users

Share this article:

Yahoo has patched a cross-site scripting (XSS) vulnerability capable of running in multiple browsers once Yahoo Mail users open spammed malicious links.

The security hole is a Document Object Model (DOM)-based XSS flaw, meaning it is found in client-side JavaScript code, as opposed to traditional XSS vulnerabilities present in server-side code.

Shahin Ramezany, a hacker and independent researcher, tweeted about the exploit on Sunday, linking to a YouTube video he created that demonstrates the hack. Ramezany also said the exploit puts 400 million users at risk.

It has not been confirmed whether the vulnerability is related to a wave of recent Yahoo Mail accounts that have been compromised, often to deliver spam to a victim's address book.

On Tuesday, SCMagazine.com received an emailed statement from Yahoo, which said the XSS vulnerability was patched, but the email hacking incidents could be a separate issue.

“We are investigating recent reports of user accounts that may have been compromised to send abusive email and will work diligently to fix any vulnerabilities that are found,” the statement said. “In general, we recommend using different passwords for online accounts, changing passwords from time to time, and choosing passwords that combine letters, numbers and symbols. Separately, we were also recently informed of an online video that demonstrated a potential security vulnerability, which has been fixed. 

Ramezany did not respond to a request for comment from SCMagazine.com. The researcher tweeted Monday that he planned to post proof-of-concept code for the flaw on his site, Abysssec.com, after Yahoo patched the issue.

After the news of Yahoo's fix, Ramezany later tweeted Tuesday that the patch was "not effective enough and users are still [at] risk," since the proof-of-concept code can be easily tweaked to continue attacks.

Share this article:

Sign up to our newsletters

More in News

In Cisco probe, misuse or compromise spotted on all firms' networks

In Cisco probe, misuse or compromise spotted on ...

Cisco analyzed the business networks of 30 multinational companies last year, and revealed the findings in its 2014 Annual Security Report.

Fareit trojan observed spreading Necurs, Zbot and CryptoLocker

The Necurs and Zbot trojans, as well as CryptoLocker ransomware, has been observed by researchers as being spread through another trojan, known as Fareit.

Post Heartbleed, tech giants join initiative to bolster open source

Post Heartbleed, tech giants join initiative to bolster ...

The newly formed Core Infrastructure Initiative, created to boost under-funded open source projects, will tackle OpenSSL first.