Yahoo Mail can be considered one of the worst e-mail services that circulates online on security issues. The 2014 company after a hack exposed 500 million accounts, but decided to keep it secret by exposing its users to very serious risks.
What has changed today? Probably not too much:
Security researcher Jouko Pynnonen has discovered a cross-site scripting (XSS) security flaw in Yahoo Mail that essentially allows an attacker to access any account and read messages electronics post officeu freely.
Yahoo reportedly fixed that flaw last week by rewarding the researcher $10.000, according to the program bug bounty the company's.
Pynnonen explained that it was possible for an attacker to break into company accounts simply by bypassing the HTML filtering that Yahoo uses for connections that hide malicious JavaScript code.
Worst of all, users did not even need to click on links or open attachments. They were opening the e-mail message sent to them by the hacker.
"Το ελάττωμα επιτρέπει σε έναν εισβολέα να διαβάσει το email ενός θύματος ή να δημιουργήσει έναν ιό για να μολύνει λογαριασμούς του Yahoο Mail, μεταξύ άλλων. Η επίθεση απαιτεί από το θύμα να δει ένα μήνυμα ηλεκτρονικού ταχυδρομείου που αποστέλλεται από τον εισβολέα. Δεν χρειάζεται καμία περαιτέρω αλληλεπίδραση (όπως κλικ σε ένα σύνδεσμο ή το άνοιγμα ενός συνημμένου)" αναφέρει ο ερευνητής.
Yahoo was notified of the hack on November 12 and fixed it on November 29. So now you are supposed to be safe.
https://klikki.fi/adv/yahoo2.html