Yahoo Mail Hit By XSS Exploit Putting 400 Million Users At Risk

Yet again mistrust growing in between the large number of Yahoo users, as it has been continuously failed to protect its customers from cyber attack. Late in last year we have seen that the two major services of Yahoo get compromised, which affects millions of its registered users across the globe. First it was Yahoo Voice, which get hacked while putting 450K users at high risk. Then it was the time for Yahoo Mail, where few Egyptian hacker figured out serious XSS vulnerabilities in Yahoo Mailing service that lets attackers steal cookies from Yahoo Webmail users. Later cyber criminals made product while exploring that loop holes, that so called product or widely known as exploit was made available at high price in underground market and forums. As expected Yahoo immediately patched these loopholes, but now it seems they did not learn lesson from the decent past. 

You all may be wondering! what happened? Again the security of Yahoo fallen victim in front of hackers. Shahin Ramezany, a hacker and independent security researcher have figure out a DOM-Based XSSvulnerability in Yahoo Mail that is exploitable in all major browsers. Ramezany tweeted about this issue whihc links to an YouTube video, where he demonstrated the hack. Shahin Ramezany also claimed that the exploit have put more than 400 Million yahoo users at risk.

As soon as this story get spotted, Yahoo immediately responds the matter, in their official release a Yahoo spokesman said "We’ve been looking into it and the US have now confirmed that they are investigating too. They will be in touch if there is a comment – otherwise I recommend that if users are concerned then they should change their passwords immediately."

Later Yahoo said that thy have plugged the security hole. In their statement the spokesperson added, “At Yahoo! we take security very seriously and invest heavily in measures to protect our users and their data. We were recently informed of an online video that demonstrated a vulnerability. We confirm that the vulnerability has been fixed. In addition, we are investigating recent reports of increased abusive traffic and will work diligently to fix any vulnerabilities that are found. Concerned users are encouraged to change their passwords to a safe password that combines letters, numbers, and symbols.”

But this issue did not get completely resolved, as immediately after the fix release of Yahoo, Shahin Ramezany said that the fix is not good enough, and the Yahoo Mail exploit is still active. In his twitter he said "not effective enough and users are still [at] risk," since the proof-of-concept code can be easily tweaked to continue attacks.