Security researcher Shahin Ramezany developed an XSS proof-of-concept exploit that he claims puts some 400 million Yahoo Mail users at risk of having their accounts taken over.
In a video posted on YouTube last night, Ramezanydemonstrated an exploit for what he claims is a document object model-based cross-site scripting vulnerability that affects Yahoo Mail users on all current browsers. Using a maliciously crafted link, a pen-testing platform, Chrome browser add-on, and a touch of social engineering, Ramezany takes complete control of a dummy Yahoo Mail account in less than five minutes.
In the video, Ramezany sends an email with a malicious link embedded in it from one Yahoo Mail account he has open in Chrome to another account that he has setup in a separate Internet Explorer 10 browser. Before switching to his IE browser, Ramezan copies and pastes the malicicious url into his Chrome address bar and is presented with a ‘404 Not Found’ message. He then switches over to IE, opens the email, and clicks the link, which, in turn, opens a new IE Window. Ramezan quickly minimizes the new window, so it is impossible to say for certain what happens there.
He then goes back to Chrome and enters the malicious link into the address bar there again. This time, instead of seeing a 404-page, Ramazan is presented with several lines of URL cookie text, which he copies and decodes in a penetration-testing platform called Burp Suite. Finally, he takes part of the decoded script and plugs it into the ‘edit this cookie’ Chrome browser add-on, refreshes the page, and, just like that, is logged in in Chrome to the Yahoo account to which he sent the malicious email in the first place.
Ramezany plans to post the proof-of-concept on his site, Abysssec.com after Yahoo patches the vulnerability.