
Jan 8, 2013
Yahoo DOM XSS 0day – Not fixed yet!
After discussing the recent Yahoo DOM XSS 0day with Shahin from Abysssec.com, it was discovered that Yahoo’s fix set in place on 6:20 PM EST, Jan 7th, 2013 is not effective as one would hope.
[vc_row][vc_column][vc_column_text]
After discussing the recent Yahoo DOM XSS 0day with Shahin from Abysssec.com, it was discovered that Yahoo’s fix set in place on 6:20 PM EST, Jan 7th, 2013 is not effective as one would hope.
With little modification to the original proof of concept code written by Abysssec, it is still possible to exploit the original Yahoo vulnerability, allowing an attacker to completely take over a victim’s account. The victim has to be lured to click a link which contains malicious XSS code for the attack to succeed. This can be demonstrated as shown in the video we have created just this morning (10:23 AM EST, Jan 8th, 2013) after Shahin kindly shared proof of concept code with us.
Yahoo mail users should be on guard against clicking any links for the foreseeable future. Due to the nature of the vulnerability, XSS filters and similar protections provide little defense against this attack. Please note that technical details have been stripped from the demo movie and will be published on Abysssec.com once Yahoo issues an effective patch. Best viewed in full screen.
[/vc_column_text][vc_raw_html]JTNDdmlkZW8lMjBjb250cm9scyUzRSUzQ3NvdXJjZSUyMHNyYyUzRCUyMmh0dHBzJTNBJTJGJTJGd3d3Lm9mZmVuc2l2ZS1zZWN1cml0eS5jb20lMkZ2aWRlb3MlMkZ5YWhvby14c3MtMGRheS5tcDQlMjIlMjB0eXBlJTNEJTIydmlkZW8lMkZtcDQlMjIlM0VZb3VyJTIwYnJvd3NlciUyMGRvZXMlMjBub3QlMjBzdXBwb3J0JTIwdGhlJTIwdmlkZW8lMjB0YWcuJTNDJTJGdmlkZW8lM0U=[/vc_raw_html][/vc_column][/vc_row]
Stay in the know: Become an OffSec Insider
Get the latest updates about resources, events & promotions from OffSec!
Latest from OffSec

Research & Tutorials
CVE-2025-29306 – Unauthenticated Remote Code Execution in FoxCMS v1.2.5 via Unserialize Injection
Discover details about CVE-2025-29306, a critical RCE vulnerability in FoxCMS 1.2.5. Learn how unsafe use of PHP’s unserialize() function enables remote attackers to execute arbitrary system commands.
Jul 3, 2025
2 min read

Research & Tutorials
CVE-2024-39914 – Unauthenticated Command Injection in FOG Project’s export.php
Discover details about CVE-2024-39914, a critical unauthenticated command injection vulnerability in FOG Project ≤ 1.5.10.34. Learn how attackers can exploit export.php to execute system commands or deploy persistent webshells.
Jun 26, 2025
2 min read

OffSec News
What It Really Means to “Try Harder”
Discover how OffSec’s “Try Harder” mantra evolved into a mindset, and how it helps learners build grit, creativity, and real-world problem-solving skills.
Jun 23, 2025
7 min read