Researchers say Yahoo Mail exploit still active, despite claim of being fixed
On Monday, Yahoo told TNW it had plugged a vulnerability in Yahoo Mail that had resulted in email accounts being compromised after users clicked on a malicious link they received in their inboxes. On Tuesday, the information security training and penetration testing firm Offensive Security said it has discovered the vulnerability is still present.
As we wrote yesterday, the hacker Shahin Ramezany (aka Abysssec) uploaded a YouTube video demonstrating how to compromise a Yahoo account by leveraging a DOM-based XSS vulnerability that is exploitable in all major browsers. Offensive Security says it spoke with Ramezany yesterday after Yahoo said the flaw was fixed, and found that it can be worked around.