Categories: SecurityWorkspace

Yahoo Mail XSS Vulnerability Still Exploitable After Patch

Yahoo Mail is still affected by an XSS vulnerability, despite the troubled Internet giant shoving out what it believed was a fix earlier this month.

On 7 January, Yahoo issued a fix for the flaw, which allowed a hacker to take complete control of a victim’s machine by carrying out a cross-site scripting (XSS) attack. But researchers subsequently found a way to exploit the flaw, even after the patch.

XSS flaws work where a website allows untrusted data to be rendered on a page. If that data includes JavaScript code, then it can potentially access user cookies.

Yahoo Mail insecurity

To compromise user accounts, attackers have to get their targets to click on a link, which then forces them to execute JavaScript code into the part of the website where the flaw resides. This code accesses the cookies and passes them over to the attacker’s own server.

The vulnerability has come as a setback for Yahoo, which had only launched its revamped Mail client in mid-December.

“With little modification to the original proof of concept code written by Abysssec, it is still possible to exploit the original Yahoo vulnerability, allowing an attacker to completely take over a victim’s account,” wrote researchers on the Offensive Security blog.

“The victim has to be lured to click a link which contains malicious XSS code for the attack to succeed.

“Yahoo Mail users should be on guard against clicking any links for the foreseeable future. Due to the nature of the vulnerability, XSS filters and similar protections provide little defense against this attack.”

The team showed how the XSS vulnerability could be exploited in this video below:

Microsoft saw one of its fixes smashed wide open by researchers this month, when Exodus Intelligence showed how it could still exploit a flaw in Internet Explorer, meaning users were open to attack.

UPDATE: Yahoo got in touch to say it has now fixed the flaw properly: “The cross-site scripting vulnerability that we identified on Friday was fixed the same day. We can confirm that we’ve now fixed the vulnerability on all versions of the site.”

What do you know about online security? Try our quiz and find out!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

SoftBank Promises To Invest $100bn In US

Japanese tech investment firm SoftBank promises to invest $100bn during Trump's second term to create…

12 hours ago

Synopsys, SiMa.ai To Collaborate On AI Car Chips

Synopsys to work with start-up SiMa.ai on joint offering to help accelerate development of AI…

13 hours ago

AI Start-Up Basis Raises $34m For Accountancy Agent

Start-up Basis raises $34m in Series A funding round for AI-powered accountancy agent to make…

13 hours ago

Databricks Raises $10bn In Huge AI Funding Round

Data analytics and AI start-up Databricks completes huge $10bn round from major venture capitalists as…

14 hours ago

Congo Files Complaints Against Apple Over Conflict Minerals

Congo files legal complaints against Apple in France, Belgium alleging company 'complicit' in laundering conflict…

14 hours ago