Printed from http://www.electronista.com

[U] Yahoo Mail accounts compromised in quick XSS exploit

updated 01:34 pm EST, Mon January 7, 2013

Hacker details attack process in YouTube video

[Updated with Yahoo response] Yahoo Mail accounts have been hacked, with a DOM-based cross-site scripting vulnerability being the main vector of attack. Details of the hack, including how to perform the attack on specific e-mail accounts, has appeared online in a YouTube video demonstration, with the entire attacking process taking just a couple of minutes.

The attack has been demonstrated by a single person going by the name of Shahin Ramezany, according to The Next Web. The video seems to show a link being sent to a target user, which takes them to a seemingly-innocent URL. The attacker then uses details stored in log files to clone the cookie of the user and then gain access to their account, with the entire attack taking just over four minutes to complete. A post on Twitter by the hacker suggests that up to 400 million Yahoo Mail accounts are at risk from the attack until it gets patched by Yahoo, and a number of Twitter users have already confirmed they were victims of the exploit.

In July 2012, over 400,000 passwords and e-mail combinations were leaked from a Yahoo Voices server, rebranded from Associated Content. The attack at that time contained addresses for Gmail and AOL e-mail accounts, as well as Yahoo Mail.

[Update] Electronista asked Yahoo for comment. A spokesperson for the company said "At Yahoo! we take security very seriously and invest heavily in measures to protect our users and their data. We are investigating recent reports of user accounts that may have been compromised to send abusive email and will work diligently to fix any vulnerabilities that are found. In general, we recommend using different passwords for online accounts, changing passwords from time to time, and choosing passwords that combine letters, numbers, and symbols. Separately, we were also recently informed of an online video that demonstrated a potential security vulnerability, which has been fixed."




By Electronista Staff
Post tools:

TAGS :

toggle

Comments

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

Advertisement

Recent Reviews

Moshi iVisor AG and XT for iPad Air 2

Have you ever tried to put in a screen protector that relies on static to cling to the screen? How many bubbles and wrinkles does it h ...

Epson PowerLite Home Cinema 3500 projector

Trying to find the perfect projector for a home theater can be tricky, as there are bountiful options on the market from a large numbe ...

Thecus N2310 NAS

For every computer user, there comes a point of critical mass in data storage. When it hits, external hard drives, USB sticks and DVD ...

Advertisement

toggle

Most Commented

 
toggle

Popular News