We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,258 News Articles

Yahoo email patch ineffective, security researchers say

Yahoo fixed an XSS flaw in its email application earlier this week but it apparently doesn't repair the problem

Security researchers say a patch released by Yahoo earlier this week for a serious email vulnerability did not fix the problem, leaving users at risk.

The cross-site scripting flaw was found by Shahin Ramezany, who goes by the nickname "Abysssec." The vulnerability can allow an attacker to harvest a victim's cookie for their Yahoo account if the victim is successfully tricked into clicking on a malicious link.

The vulnerability was patched by Yahoo on Monday, but penetration testing company Offensive Security and Ramezany say that the patch did not fix the problem.

"With little modification to the original proof-of-concept code written by Abysssec, it is still possible to exploit the original Yahoo vulnerability, allowing an attacker to completely take over a victim's account," Offensive Security wrote on its blog.

A Yahoo spokeswoman did not have an immediate comment when contacted Wednesday.

Offensive Security hosted a video showing how the attack works but left out details that might allow attackers to replicate it. The company said XSS filters provide little defense against an attack and warned that people should be wary of clicking on links within emails until Yahoo fixes the vulnerability.

Send news tips and comments to [email protected] Follow me on Twitter: @jeremy_kirk


IDG UK Sites

Best Christmas 2014 UK tech deals, Boxing Day 2014 UK tech deals & January sales 2015 UK tech...

IDG UK Sites

LED vs Halogen: Why now could be the right time to invest in LED bulbs

IDG UK Sites

Christmas' best ads: See great festive spots studios have created to promote themselves and clients

IDG UK Sites

Why Apple shouldn't be blamed for exploitation in China and Indonesia