The Next Web reports that over the course of the weekend, people started reporting they had their Yahoo Mail hacked. Apparently, when clicking a malicious link in an email, and a user’s details are sent to a website, where the cookie details are captured. The cookie details are later used in a browser session to act like the victim, which the Yahoo Mail client accepts – the hacker now has access to the victims inbox.
Here’s a video made by Shahin Ramezany (Twitter: abyssec) who apparently executed the hack himself, using an XSS vulnerability that can be exploited in all major browsers:
He’s put up a tweet about the vulnerability, and will not post the proof of concept of the hack until Yahoo has fixed the vulnerability.
Quote from The Next Web:
Update at 1:45PM EST: “We’ve been looking into it and the US have now confirmed that they are investigating too,” a Yahoo spokesperson in the UK told TNW. “They will be in touch if there is a comment – otherwise I recommend that if users are concerned then they should change their passwords immediately.”
This is not so good news for Yahoo, which recently introduced a new email client. There’s more and more people now reporting that they had their Yahoo Mail hacked: see Twitter for more on this.
It’s been said before but I will say it again: never click links in emails from sources that are either unknown and/or untrusted. One click might get your email account compromised, or certain sensitive data (personal or financial) made available to malicious folks who would like to do actual harm.