On Monday, Yahoo told TNW it had plugged a vulnerability in Yahoo Mailthat had resulted in email accounts being compromised after users clicked on a malicious link they received in their inboxes. On Tuesday, the information security training and penetration testing firm Offensive Security said it has discovered the vulnerability is still present.
As we wrote yesterday, the hacker Shahin Ramezany (aka Abysssec) uploaded a YouTube video demonstrating how to compromise a Yahoo account by leveraging a DOM-based XSS vulnerability that is exploitable in all major browsers. Offensive Security says it spoke with Ramezany yesterday after Yahoo said the flaw was fixed, and found that it can be worked around:
With little modification to the original proof of concept code written by Abysssec, it is still possible to exploit the original Yahoo vulnerability, allowing an attacker to completely take over a victim’s account. The victim has to be lured to click a link which contains malicious XSS code for the attack to succeed. This can demonstrated by the video we have created just this morning (10:23 AM EST, Jan 8th, 2013) after Shahin kindly shared proof of concept code with us.
Here is the new video:
For the record, here is Yahoo’s statement from yesterday:
At Yahoo! we take security very seriously and invest heavily in measures to protect our users and their data. We were recently informed of an online video that demonstrated a vulnerability. We confirm that the vulnerability has been fixed. In addition, we are investigating recent reports of increased abusive traffic and will work diligently to fix any vulnerabilities that are found. Concerned users are encouraged to change their passwords to a safe password that combines letters, numbers, and symbols.
We have contacted Yahoo about this new claim. We will update this story if we hear back.
In the meantime, we recommend the same thing we did yesterday. Users with a Yahoo account should make a point not to click on any suspicious links they receive by email or from anywhere else. In fact, that goes for all users; don’t click on random links, even if you get them from a friend. If you think your account was compromised, also change your password on any related accounts, especially if you use the same one elsewhere.