Late last night reports started coming in suggesting that Yahoo Mail users have had their accounts hacked. While “hacked” is a very broad term nowadays, it does appear that Yahoo email accounts are being compromised after users click on a malicious link they receive in their inboxes.
A bit of digging shows the attack seems to have been carried out by a lone hacker by the name Shahin Ramezany. He has uploaded a video to YouTube demonstrating how to compromise a Yahoo account by leveraging a DOM-Based XSS vulnerability that is exploitable in all major browsers:
The technique shown off is very simple, can be performed in just a few minutes, and seems to be very easy to automate. In his only tweet about the hack so far, Ramezany notes the vulnerability puts some 400 million Yahoo users at risk and promises the full details of his method will be posted after Yahoo plugs the security hole.
It’s not currently clear how many Yahoo Mail users have already been affected by this flaw, but it does look as if the number is growing quickly. A search on Twitter for Yahoo hacked shows that many have either had their accounts compromised, or are receiving spam from their friends with Yahoo accounts.
This warning from an actress and singer sums up the situation perfectly:
Friends and colleagues, don’t click the link that was sent to you from my Yahoo email account, I was hacked :/ Apologies!This isn’t the first time Yahoo Mail has been attacked by hackers, and it likely won’t be the last. The previous such incident was not so long ago, in July 2012, although that was related to a file being swiped from the company’s servers. This appears to be a security hole directly in Yahoo Mail.
— Cristina Vee (@CristinaVee) January 7, 2013
We recommend that users with a Yahoo account change their account passwords and make a point not to click on any suspicious links they receive by email or from anywhere else. In fact, that goes for all users; don’t click on random links, even if you get them from a friend. If you think your account was compromised, also change your password on any related accounts, especially if you use the same password.
We have contacted Yahoo about this issue. We will update this article if we hear back.
Image credit: KateKrav
No comments:
Post a Comment