In an report published by TNW, it has been revealed that despite of several claims by Yahoo Inc, the DOM-based XSS Vulnerability that resulted in compromising many of yahoo accounts is still active, putting millions of Yahoo users in danger.
Earlier the experts find a vulnerability that resulted in emails account being hacked after clicking a malicious link sent to their inbox. Yesterday, the information security training and penetration testing firm Offensive Security said that while scanning they discovered that DOM-based vulnerability is still present and every Yahoo mail user is in danger and on the edge of loosing their accounts if they click the malicious link.
Two days ago, a hacker Shahin Ramezany (aka Abysssec) posted a video on YouTube showing how to hack Yahoo accounts by a using DOM-based XSS vulnerability. The information security training and penetration testing firm then contacted Abysssec and discussed the claim by Yahoo that vulnerability has been fixed but Abysssec told the firm that vulnerability can still work with a simple modification.
With little modification to the original proof of concept code written by Abysssec, it is still possible to exploit the original Yahoo vulnerability, allowing an attacker to completely take over a victim’s account. The victim has to be lured to click a link which contains malicious XSS code for the attack to succeed. This can demonstrated by the video we have created just this morning (10:23 AM EST, Jan 8th, 2013) after Shahin kindly shared proof of concept code with us.
Here is the video tutorial posted by Abysssec earlier:
The new video by Abyssec with modification is available on here on Offensive Security blog.
Yesterday, Yahoo! Inc released a statement according to which:
At Yahoo! we take security very seriously and invest heavily in measures to protect our users and their data. We were recently informed of an online video that demonstrated a vulnerability. We confirm that the vulnerability has been fixed. In addition, we are investigating recent reports of increased abusive traffic and will work diligently to fix any vulnerabilities that are found. Concerned users are encouraged to change their passwords to a safe password that combines letters, numbers, and symbols.
We at Hack Read, urge the Yahoo mail users NOT to click any link sent to your inbox by anyone known or unknown to you until the vulnerability is completely fixed.