Yahoo Mail 2013 Allegedly Hacked via XSS Exploit

Yahoo Mail 2013 Allegedly Hacked via XSS Exploit !

Late last night reports started coming in suggesting that Yahoo Mail users have had their accounts hacked. While “hacked” is a very broad term nowadays, it does appear that Yahoo email accounts are being compromised after users click on a malicious link they receive in their inboxes.

Update: Yahoo says it has plugged the security hole in question but researchers beg to differ, as detailed at the bottom of this article.





A bit of digging shows the attack seems to have been carried out by a lone hacker by the name Shahin Ramezany(Iranin People). He has uploaded a video to YouTube demonstrating how to compromise a Yahoo account by leveraging a DOM-Based XSS vulnerability that is exploitable in all major browsers:

The technique shown off is very simple, can be performed in just a few minutes, and seems to be very easy to automate. In his only tweet about the hack so far, Ramezany notes the vulnerability puts some 400 million Yahoo users at risk and promises the full details of his method will be posted after Yahoo plugs the security hole.

It’s not currently clear how many Yahoo Mail users have already been affected by this flaw, but it does look as if the number is growing quickly. A search on Twitter for Yahoo hacked shows that many have either had their accounts compromised, or are receiving spam from their friends with Yahoo accounts.