On Monday, we learned that a DOM-based cross-site scripting (XSS) vulnerability that affected Yahoo! could be exploited by cybercriminals to take over accounts. The company rushed to issue a fix for the security hole, but experts have found that the patch is not effective.
Security expert Shahin Ramezany, the one who first identified the issue, and researchers from Offensive Security have determined that with a small modification made to the original attack method, the vulnerability can still be exploited if the attacker can convince the victim to click on a link containing malicious code.
In the statement released by Yahoo!, the company’s representatives were confident that the issue had been fixed.
I’ve contacted Yahoo! to see what they have to say about the new claims. The post will be updated as soon as they respond.
Until the issue is properly addressed, users are advised not to click on any suspicious links.
Update. Yahoo! representatives have responded to my inquiry. They've stated:
"The cross-site scripting vulnerability that we identified on Friday was fixed the same day. We can confirm that we've now fixed the vulnerability on all versions of the site."
Here is the new POC video published by the researchers. The sensitive technical details have been redacted: