The patch that didn’t patch up much
On 7 January, Yahoo issued a fix for the flaw, which allowed a hacker to take complete control of a victim’s machine by carrying out a cross-site scripting (XSS) attack. But researchers subsequently found a way to exploit the flaw, even after the patch.
The vulnerability has come as a setback for Yahoo, which had only launched its revamped Mail client in mid-December.
“With little modification to the original proof of concept code written by Abysssec, it is still possible to exploit the original Yahoo vulnerability, allowing an attacker to completely take over a victim’s account,” wrote researchers on the Offensive Security blog.
“The victim has to be lured to click a link which contains malicious XSS code for the attack to succeed.
“Yahoo Mail users should be on guard against clicking any links for the foreseeable future. Due to the nature of the vulnerability, XSS filters and similar protections provide little defense against this attack.”
The team showed how the XSS vulnerability could be exploited in this video below:
Microsoft saw one of its fixes smashed wide open by researchers this month, when Exodus Intelligence showed how it could still exploit a flaw in Internet Explorer, meaning users were open to attack.
UPDATE: Yahoo got in touch to say it has now fixed the flaw properly: “The cross-site scripting vulnerability that we identified on Friday was fixed the same day. We can confirm that we’ve now fixed the vulnerability on all versions of the site.”
What do you know about online security? Try our quiz and find out!