Yahoo Mail XSS Vulnerability Could Affect Millions of Accounts

Security researcher Shahin Ramezany developed an XSS proof-of-concept exploit that he claims puts some 400 million Yahoo Mail users at risk of having their accounts taken over.

Security researcher Shahin Ramezany developed an XSS proof-of-concept exploit that he claims puts some 400 million Yahoo Mail users at risk of having their accounts taken over.

In a video posted on YouTube last night, Ramezanydemonstrated an exploit for what he claims is a document object model-based cross-site scripting vulnerability that affects Yahoo Mail users on all current browsers. Using a maliciously crafted link, a pen-testing platform, Chrome browser add-on, and a touch of social engineering, Ramezany takes complete control of a dummy Yahoo Mail account in less than five minutes.

In the video, Ramezany sends an email with a malicious link embedded in it from one Yahoo Mail account he has open in Chrome to another account that he has setup in a separate Internet Explorer 10 browser. Before switching to his IE browser, Ramezan copies and pastes the malicicious url into his Chrome address bar and is presented with a ‘404 Not Found’ message. He then switches over to IE, opens the email, and clicks the link, which, in turn, opens a new IE Window. Ramezan quickly minimizes the new window, so it is impossible to say for certain what happens there.

He then goes back to Chrome and enters the malicious link into the address bar there again. This time, instead of seeing a 404-page, Ramazan is presented with several lines of URL cookie text, which he copies and decodes in a penetration-testing platform called Burp Suite. Finally, he takes part of the decoded script and plugs it into the ‘edit this cookie’ Chrome browser add-on, refreshes the page, and, just like that, is logged in in Chrome to the Yahoo account to which he sent the malicious email in the first place.

Ramezany plans to post the proof-of-concept on his site, after Yahoo patches the vulnerability.

Suggested articles


  • Anonymous on

    Well, that is very nice of this "security expert" to post explicit information about this exploit. I am sure that cyber thieves will appreciate it.  They do not need a research department, since he (and other so-called "security experts") do the research for them.

    It appears to me that a lot of things have to get done before this particular exploit can pay off, but perhaps it can be improved.  If so, I'm sure our expert will tell us how.




  • Anonymous on

    @ RWS do you find that you hate your life? this guy trys to do everyone with a yahoo account a service and you make some dickish remarks.

  • Anonymous on

    Hey gals, why the harse words? This whole thing is not going to work if the recipient doesn't open the malacious link the fake mail.

    In other words, it's all upto the user, but it's a good thing this is out in the open.

  • Anonymous on

    RWS, realize that the malicious code hasn't been posted.

  • Anonymous on


    Now this is funny when yahoo allows anyone up to 20-30 attempts to hack your account every 12 hours and now this hahaha don’t surprise me at all go hotmail or aol, gmail at least that’s secure

  • Chuck on

    @ RWS This vulnerability has been present in Yahoo's webmail for months and the "cyber thieves" have known about it and have been exploiting it all that time.


    Ramezany did not post his video until *after* Yahoo clammed to have fixed the issue. This is called Limited disclosure or "responsible disclosure". Sadly limited disclosure usually results in vendors taking way too long to fix the problem because their customers do not know they are vulnerable, but the bad guys know. Just like Yahoo did in this case.

  • Mohammad Mehdi Vaezi Nezhad on


     - few months ago video file from the sides one of friends security expert for the servant was sent the that exactly same time the cases documented in this article have been raised but not for Yahoo but also For Facebook had to happen

    Video file as the servants several Times Browse got and sure I Became that the file with several Times edit is made and such practical dont doable not in real world

    Mechanism Dqyqs this action. The time Dqaqa know that to the Through what is and this defect Facebook absence but also defects plugin was such an that runs on browser was mounted


    Mohammad Mehdi Vaezi Nezhad

    ISO/IEC 27001:2005 Auditor

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.