Skip to main content

Yahoo Mail exploit by lone hacker sends malicious emails to victim contact lists

fixing yahoo social media
Image used with permission by copyright holder

There are innumerable exploits floating around that can grab a hold of your email address, should you voluntarily click on a mysterious link. Yahoo Mail users have recently been complaining of a hack that was propagating a malicious link sent to contact lists from their own email addresses. A self professed “security researcher,” a.k.a. hacker for the greater good by the name of Shahin Ramezany is the one behind the attack with the clear intent of proving to Yahoo how exploitable mailing platform is.

Ramezany filmed a walk-through from the backend showing users how the exploit works (check it out below for yourself). The hack is “compatible” across all major browsers and exploits an XSS vulnerability, which is really the most common type that you’ll see these days.  Using this, a hacker could gain access to individual accounts and peer through emails, but in this case it’s more about sharing the bug with contacts and seeing it go viral than anything else.

Once a victim clicks on a malicious link, the exploit assumes your identity and mass emails your contacts with a catchy subject line and the same link. When the link is clicked on the hack is perpetuated to their contacts and so forth. It should go without saying that if you’re a Yahoo user, be on the look out for strange emails, and if you clicked something strange, go change your password immediately.

Ramezany claims that he will expose his own code, but that won’t come until Yahoo patches the vulnerability. Until then you can direct your blame toward him and him alone since it appears that the hack was a solo effort.

Update: Yahoo reached out to us with the statement: “At Yahoo! we take security very seriously and invest heavily in measures to protect our users and their data. We were recently informed of an online video that demonstrated a vulnerability. We confirm that the vulnerability has been fixed. In addition, we are investigating recent reports of increased abusive traffic and will work diligently to fix any vulnerabilities that are found. Concerned users are encouraged to change their passwords to a safe password that combines letters, numbers, and symbols.”

Yahoo hasn’t been a stranger to hackers. The last major incident took place in July when 400,000 accounts were purportedly hacked by hacker group D33ds Company, who used a SQL injection method. That method on the other hand was motivated by the desire to publicly expose the email addresses and passwords of its victims. This latest security issues comes just after Yahoo relaunched its email client and mobile apps.

Moral of the story is, change your passwords frequently and don’t click on anything your gut is telling you not to click on (even if it really piques your curiosity). Other than that, it’s up to Yahoo to keep your accounts safe.

Francis Bea
Former Digital Trends Contributor
Francis got his first taste of the tech industry in a failed attempt at a startup during his time as a student at the…
How to block a website

Whether you're looking to protect your kids from sketchy websites or protect yourself from distracting sites while working, sometimes we all need to block a website for our best interests. Balancing privacy, freedom, and controls can be tricky to navigate.

While many laptops come with some parental controls already installed, some are more user-friendly than others. We’ll walk you through exactly how to use the settings and how to use host files and routers to do this.

Read more
How to deactivate your Instagram account (or delete it)
A person holding a phone with the Instagram app open on it.

Oh, social media. Sometimes it’s just too much, folks. If you’re finding yourself in a position where shutting down your Instagram account for a period of time sounds good, Meta’s powers that be have made it pretty simple to deactivate your Instagram account. It’s also quite easy to completely delete your Instagram, although we wouldn’t recommend this latter option if you plan on returning to the platform at a later date.

Read more
How to clear cookies
A person uses a tablet with an HP laser printer in an office.

Cookies are a convenient way to experience the parts of the internet you frequently visit. One can think of these non-edible artifacts as digital breadcrumbs for info you may not want to remember every time. But when your computer is tasked with remembering too many of these trail-markers, it can really slow down your machine. Regardless of the browser you’re using, it’s a good idea to clear your cookies every once in a while.

Read more