Blog
Jan 8, 2013
Yahoo DOM XSS 0day – Not fixed yet!
After discussing the recent Yahoo DOM XSS 0day with Shahin from Abysssec.com, it was discovered that Yahoo’s fix set in place on 6:20 PM EST, Jan 7th, 2013 is not effective as one would hope.
2 min read
[vc_row][vc_column][vc_column_text]
After discussing the recent Yahoo DOM XSS 0day with Shahin from Abysssec.com, it was discovered that Yahoo’s fix set in place on 6:20 PM EST, Jan 7th, 2013 is not effective as one would hope.
With little modification to the original proof of concept code written by Abysssec, it is still possible to exploit the original Yahoo vulnerability, allowing an attacker to completely take over a victim’s account. The victim has to be lured to click a link which contains malicious XSS code for the attack to succeed. This can be demonstrated as shown in the video we have created just this morning (10:23 AM EST, Jan 8th, 2013) after Shahin kindly shared proof of concept code with us.
Yahoo mail users should be on guard against clicking any links for the foreseeable future. Due to the nature of the vulnerability, XSS filters and similar protections provide little defense against this attack. Please note that technical details have been stripped from the demo movie and will be published on Abysssec.com once Yahoo issues an effective patch. Best viewed in full screen.
[/vc_column_text][vc_raw_html]JTNDdmlkZW8lMjBjb250cm9scyUzRSUzQ3NvdXJjZSUyMHNyYyUzRCUyMmh0dHBzJTNBJTJGJTJGd3d3Lm9mZmVuc2l2ZS1zZWN1cml0eS5jb20lMkZ2aWRlb3MlMkZ5YWhvby14c3MtMGRheS5tcDQlMjIlMjB0eXBlJTNEJTIydmlkZW8lMkZtcDQlMjIlM0VZb3VyJTIwYnJvd3NlciUyMGRvZXMlMjBub3QlMjBzdXBwb3J0JTIwdGhlJTIwdmlkZW8lMjB0YWcuJTNDJTJGdmlkZW8lM0U=[/vc_raw_html][/vc_column][/vc_row]
Cybersecurity leader resources
Sign up for the Secure Leader and get the latest info on industry trends, resources and best practices for security leaders every other week
Latest from OffSec
Enterprise Security
What is Incident Response?
Learn what incident response is, why it’s crucial, the steps involved, and how to build a team to effectively manage cybersecurity incidents.
Oct 21, 2024
10 min read
Enterprise Security
How to Attract Top Cybersecurity Talent
Attract top cybersecurity talent by defining your value, supporting growth with education, fostering a positive culture, and offering flexibility.
Oct 15, 2024
6 min read
Enterprise Security
What is Threat Intelligence?
This article explores threat intelligence, its purpose, types, and how organizations can leverage it to enhance cybersecurity.
Sep 27, 2024
9 min read