Late last night reports started coming in suggesting that Yahoo Mailusers have had their accounts hacked. While “hacked” is a very broad term nowadays, it does appear that Yahoo email accounts are being compromised after users click on a malicious link they receive in their inboxes.
Update: Yahoo says it has plugged the security hole in question but researchers beg to differ, as detailed at the bottom of this article.
A bit of digging shows the attack seems to have been carried out by a lone hacker by the name Shahin Ramezany. He has uploaded a video to YouTube demonstrating how to compromise a Yahoo account by leveraging a DOM-Based XSS vulnerability that is exploitable in all major browsers:
The technique shown off is very simple, can be performed in just a few minutes, and seems to be very easy to automate. In his only tweet about the hack so far, Ramezany notes the vulnerability puts some 400 million Yahoo users at risk and promises the full details of his method will be posted after Yahoo plugs the security hole.
It’s not currently clear how many Yahoo Mail users have already been affected by this flaw, but it does look as if the number is growing quickly. A search on Twitter for Yahoo hacked shows that many have either had their accounts compromised, or are receiving spam from their friends with Yahoo accounts.
This warning from an actress and singer sums up the situation perfectly:
Friends and colleagues, don't click the link that was sent to you from my Yahoo email account, I was hacked :/ Apologies!
This isn’t the first time Yahoo Mail has been attacked by hackers, and it likely won’t be the last. The previous such incident was not so long ago, in July 2012, although that was related to a file being swiped from the company’s servers. This appears to be a security hole directly in Yahoo Mail.
We recommend that users with a Yahoo account change their account passwords and make a point not to click on any suspicious links they receive by email or from anywhere else. In fact, that goes for all users; don’t click on random links, even if you get them from a friend. If you think your account was compromised, also change your password on any related accounts, especially if you use the same password.
We have contacted Yahoo about this issue. We will update this article if we hear back.
Update at 1:45PM EST: “We’ve been looking into it and the US have now confirmed that they are investigating too,” a Yahoo spokesperson in the UK told TNW. “They will be in touch if there is a comment – otherwise I recommend that if users are concerned then they should change their passwords immediately.”
Update at 9:20PM EST: “At Yahoo! we take security very seriously and invest heavily in measures to protect our users and their data,” a Yahoo spokesperson told TNW. “We were recently informed of an online video that demonstrated a vulnerability. We confirm that the vulnerability has been fixed. In addition, we are investigating recent reports of increased abusive traffic and will work diligently to fix any vulnerabilities that are found. Concerned users are encouraged to change their passwords to a safe password that combines letters, numbers, and symbols.”
Update on January 8: Researchers say Yahoo Mail exploit still active, despite claim of being fixed