Arik Hesseldahl

Recent Posts by Arik Hesseldahl

Yahoo Mail Endures Another Hacking Vulnerability

If you’re seeing a spike in people apologizing via their Facebook and Twitter feeds about how their email accounts have been hacked in recent days, there’s a better-than-average chance that the email account in question is on Yahoo Mail.

Over the weekend there was a lot of buzz about a cross-site scripting vulnerability recently discovered in Yahoo Mail. It’s the subject of a story by TheNextWeb that’s getting a lot of traffic today.

The vulnerability was revealed by Shahin Ramezany, a researcher at Abysssec, a small independent security firm. According to his video demonstration, which you can see below (it’s hard to see, so best to watch it in full-screen mode), the vulnerability is one of those cross-site scripting, or XSS, vulnerabilities that work across multiple browsers. Ramezany said via his Twitter feed that he will disclose more about how the vulnerability works after Yahoo has patched it.

But the vulnerability is practically identical to another one that was documented in late November and was seen being hawked on the Web by an Egyptian hacker known as TheHell for an asking price of $700. Compare the two videos below. The first is from Abysssec/Ramezany and runs about four minutes. The second was created by TheHell, and it runs about 90 seconds.

First, Abysssec:

And now TheHell:

They certainly look similar to me. Anyhow, security journalist Brian Krebs notified Yahoo about it on Nov. 12, which means that if indeed these vulnerabilities are one and the same — not 100 percent certain, but tell me they don’t look alike — then Yahoo has had nearly two months to try to patch it.

It’s not the first time Yahoo Mail accounts have been compromised in some manner. In July, the company confirmed that some 450,000 user names and passwords were compromised. They had come to Yahoo via its acquisition of Associated Content in 2010 and had been stored on a server in plain text format.

The news comes less than a month after Yahoo unveiled a big redesign of its Yahoo Mail service, which followed a fairly radical redesign of its home page. As of December, Yahoo Mail was in third place behind Google’s Gmail and Microsoft’s Outlook.com (formerly Hotmail) as the most popular Web mail service.

Yahoo hasn’t said much about it yet and no one there has returned my calls, though a Yahoo spokesman in the U.K. said the company is investigating the vulnerability. Um, yeah.

Latest Video

View all videos »

Search »

I’m a giant vat of creative juices.

— David Pogue on why he’s joining Yahoo