Skip to main content

Yahoo Mail exploit by lone hacker sends malicious emails to victim contact lists

fixing yahoo social media
Image used with permission by copyright holder

There are innumerable exploits floating around that can grab a hold of your email address, should you voluntarily click on a mysterious link. Yahoo Mail users have recently been complaining of a hack that was propagating a malicious link sent to contact lists from their own email addresses. A self professed “security researcher,” a.k.a. hacker for the greater good by the name of Shahin Ramezany is the one behind the attack with the clear intent of proving to Yahoo how exploitable mailing platform is.

Ramezany filmed a walk-through from the backend showing users how the exploit works (check it out below for yourself). The hack is “compatible” across all major browsers and exploits an XSS vulnerability, which is really the most common type that you’ll see these days.  Using this, a hacker could gain access to individual accounts and peer through emails, but in this case it’s more about sharing the bug with contacts and seeing it go viral than anything else.

Once a victim clicks on a malicious link, the exploit assumes your identity and mass emails your contacts with a catchy subject line and the same link. When the link is clicked on the hack is perpetuated to their contacts and so forth. It should go without saying that if you’re a Yahoo user, be on the look out for strange emails, and if you clicked something strange, go change your password immediately.

Ramezany claims that he will expose his own code, but that won’t come until Yahoo patches the vulnerability. Until then you can direct your blame toward him and him alone since it appears that the hack was a solo effort.

Update: Yahoo reached out to us with the statement: “At Yahoo! we take security very seriously and invest heavily in measures to protect our users and their data. We were recently informed of an online video that demonstrated a vulnerability. We confirm that the vulnerability has been fixed. In addition, we are investigating recent reports of increased abusive traffic and will work diligently to fix any vulnerabilities that are found. Concerned users are encouraged to change their passwords to a safe password that combines letters, numbers, and symbols.”

Yahoo hasn’t been a stranger to hackers. The last major incident took place in July when 400,000 accounts were purportedly hacked by hacker group D33ds Company, who used a SQL injection method. That method on the other hand was motivated by the desire to publicly expose the email addresses and passwords of its victims. This latest security issues comes just after Yahoo relaunched its email client and mobile apps.

Moral of the story is, change your passwords frequently and don’t click on anything your gut is telling you not to click on (even if it really piques your curiosity). Other than that, it’s up to Yahoo to keep your accounts safe.

Francis Bea
Former Digital Trends Contributor
Francis got his first taste of the tech industry in a failed attempt at a startup during his time as a student at the…
The 5 best websites like Craigslist in 2024

For years, Craigslist has been the go-to website for scoring a free sofa or finding an apartment. But there are plenty of other alternatives to Craigslist that do an equally fine job, oftentimes with a more attractive interface and fewer spam postings. The 5 best Craigslist alternatives are:

Facebook Marketplace
OfferUp
Locanto
Mercari
Recycler

Read more
How to stop spam emails in Outlook, Gmail, and more
A person sitting on the grass and taking notes at a laptop.

Spam and other unwanted emails are a nuisance, and it can seem like keeping them away from your inbox is a losing battle. But while you won't be able to prevent every piece of spam from landing in your inbox, it is possible to significantly reduce the number of messages that show up.

In this guide, we'll show you how to use filters, blocking, and spam reporting features to help stop spam from invading your inbox. We'll also go over a few more tips on how to reduce unwanted messages overall.
How to stop spam in Gmail
If you use Gmail, the most popular email client, you will eventually start getting spam. Here are our two favorite ways to deal with it.
Block spam in Gmail

Read more
How to add a signature in Gmail on desktop and mobile
how to file for stimulus

Email signatures are a great way to automatically include your contact information to your email correspondence. If you'd like to add a signature to your emails in Gmail, it's easy enough to add one. You'll just need to go through your Gmail settings to do it.

In this guide, we'll show you how to add a signature in Gmail whether you're using the desktop website version of Gmail or its mobile app.
How to add a signature on your desktop
Step 1: Launch your favorite browser and log into your Gmail account as you normally would.

Read more