Few days back, a security researcher has found DOM based Cross site scripting (XSS) vulnerability i Yahoo that can be used to hijack users yahoo mail accounts. Within few hours, company started working on the fix and then claimed to fix the security hole. But researchers have found that vulnerability still exists and the patch by the company was not effective.
Security researcher Shahin Ramezany has managed to exploit the XSS on the same place again after company claimed to patch the vulnerability. He showed how attackers can convince the victim to click on a link with malicious code and then give up the account.
Yahoo officials has nothing to say about this after the vulnerability has been reproduced. But I am advising all readers not to click on any kind of suspicious links coming in the emails.
Here is the POC of the vulnerability and attack. See the demo video:
