Skip to main content

Yahoo Mail exploit by lone hacker sends malicious emails to victim contact lists

fixing yahoo social media

There are innumerable exploits floating around that can grab a hold of your email address, should you voluntarily click on a mysterious link. Yahoo Mail users have recently been complaining of a hack that was propagating a malicious link sent to contact lists from their own email addresses. A self professed “security researcher,” a.k.a. hacker for the greater good by the name of Shahin Ramezany is the one behind the attack with the clear intent of proving to Yahoo how exploitable mailing platform is.

Ramezany filmed a walk-through from the backend showing users how the exploit works (check it out below for yourself). The hack is “compatible” across all major browsers and exploits an XSS vulnerability, which is really the most common type that you’ll see these days.  Using this, a hacker could gain access to individual accounts and peer through emails, but in this case it’s more about sharing the bug with contacts and seeing it go viral than anything else.

Once a victim clicks on a malicious link, the exploit assumes your identity and mass emails your contacts with a catchy subject line and the same link. When the link is clicked on the hack is perpetuated to their contacts and so forth. It should go without saying that if you’re a Yahoo user, be on the look out for strange emails, and if you clicked something strange, go change your password immediately.

Ramezany claims that he will expose his own code, but that won’t come until Yahoo patches the vulnerability. Until then you can direct your blame toward him and him alone since it appears that the hack was a solo effort.

Update: Yahoo reached out to us with the statement: “At Yahoo! we take security very seriously and invest heavily in measures to protect our users and their data. We were recently informed of an online video that demonstrated a vulnerability. We confirm that the vulnerability has been fixed. In addition, we are investigating recent reports of increased abusive traffic and will work diligently to fix any vulnerabilities that are found. Concerned users are encouraged to change their passwords to a safe password that combines letters, numbers, and symbols.”

Yahoo hasn’t been a stranger to hackers. The last major incident took place in July when 400,000 accounts were purportedly hacked by hacker group D33ds Company, who used a SQL injection method. That method on the other hand was motivated by the desire to publicly expose the email addresses and passwords of its victims. This latest security issues comes just after Yahoo relaunched its email client and mobile apps.

Moral of the story is, change your passwords frequently and don’t click on anything your gut is telling you not to click on (even if it really piques your curiosity). Other than that, it’s up to Yahoo to keep your accounts safe.

Editors' Recommendations

Francis Bea
Former Digital Trends Contributor
Francis got his first taste of the tech industry in a failed attempt at a startup during his time as a student at the…
Yahoo Mail announces support for Gmail accounts
yahoo mail photo sync caller id smart phone mobile app smartphone

Yahoo Mail has announced Gmail support for its mail service, two months after the official update that added a whole load of new features.

Gmail users will be able to receive emails, send emails, and check all saved and archived emails on Yahoo Mail. Similar functionality has been available for Outlook, Hotmail, and AOL Mail users since the October update.

Read more
Yahoo Mail hit by hackers, passwords reset
yahoo mail hit by hackers password

Yahoo said Thursday it had discovered what it described as a "coordinated effort" by hackers to gain access to a number of Yahoo Mail accounts.
In a 'security update' message posted on its Tumblr page, Yahoo's Jay Rossiter declined to say precisely how many accounts had been compromised, but said it had taken "immediate" action and contacted affected users, prompting them to reset their passwords.
There are known to be some 273 million Yahoo Mail accounts globally, with around 81 million based in the US.
Rossiter said a list of usernames and passwords used in the attack "was likely collected from a third-party database compromise" and that there was currently no evidence that personal data had been taken directly from any of Yahoo's own servers. Of course, this begs the question: From which third-party database was the information pulled? If Yahoo knows, it didn't want to say.
Describing its investigation as "ongoing," Rossiter said the company had so far discovered that "malicious computer software used the list of usernames and passwords to access Yahoo Mail accounts."
Yahoo said that besides contacting those affected, it had already reset passwords on impacted accounts and was using second sign-in verification to enable users to choose a new password. It added that it's now working with federal law enforcement in an effort to find those responsible, and had implemented "additional measures" in an effort to prevent future attacks on its systems.
The last few months have seen a number of high profile cyberattacks – retail giant Target was hit recently by a hack affecting up to 110 million of its online users, while back in October Adobe reported a serious security breach impacting up to 38 million accounts. 
Whether or not your Yahoo Mail account was compromised in this week's incident, now is as good a time as any to review your password strategy – especially if you're using one like this.
 [Image: Zsolt Biczo / Shutterstock]

Read more
Yahoo Mail status page down [Update: Story corrected]
yahoo mail status page fail continues hq

Update 12/17/13 7:08 ET: Here is the latest Yahoo Mail status update in full, which was posted today at 2:45 p.m. PT.

"We continue to work on recovering email messages, folders and inboxes for users who are still not seeing some messages in their inbox. In the last 24 hours, we've seen an accelerated rate of message recovery for affected users. Additionally, we are reaching out directly to the impacted users with an update specifically related to their accounts.

Read more