Yahoo! Mail users should be extra careful as this zero day cross site scripting vulnerability may compromise their account. In a typical form of Cross site scripting [XSS] attack, an attacker sends a malicious link to an unsuspecting user and if the user clicks the link, the script is executed, and can access cookies, session tokens or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.
The zero day XSS vulnerability is being sold on Underground hacking forums for $700 by an Egyptian hacker. The hacker posted the following video to demonstrate the exploit for potential buyers. The video is reproduced on YouTube by Brain Kerbs.
The Egyption hacker said that: “I’m selling Yahoo stored XSS that steal Yahoo emails cookies and works on ALL browsers,” wrote the vendor of this exploit, using the hacker handle ‘TheHell.’ “And you don’t need to bypass IE or Chrome XSS filter as it do that itself because it’s stored XSS.
Security researchers at Yahoo! have responded quickly and company said that it is responding to the issue on priority and Fixing it is easy, most XSS are corrected by simple code change. Once we figure out the offending URL we can have new code deployed in a few hours at most, said Ramses Martinez, director of security at Yahoo!.
Until Yahoo! fix the zero day XSS vulnerability, Temporary workarounds are mentioned below: