That Yahoo Mail Vulnerability? Not Really Fixed.

The vulnerability in Yahoo Mail that has been blamed for a surge in spam emanating from compromised accounts wasn’t really fixed, or at least not entirely.

That’s the claim from Offensive Security, a security research and training firm. In a blog post yesterday, the firm demonstrated how Yahoo Mail is still vulnerable to cross-site scripting, or XSS, attacks.

You can see the latest demonstration in the video below. Remember that the vulnerability initially disclosed by Shahin Ramezany, a researcher at Abysssec, a small independent security firm, was also of the XSS variety. It involved sending a link to a Yahoo mail user, who then presumably takes the bait and clicks the link, which has the effect of mining enough information about their account credentials that the attacker can later take over the target’s account.

Yahoo said it fixed this vulnerability later on the night of Jan. 7.

But now Offensive Security is claiming that Yahoo may have fixed the immediate problem, but not the more fundamental underlying problem that allowed it in the first place.

“In this case, Yahoo has been provided the proof-of-concept by Shahin. They thought they had it corrected and went around releasing statements to that fact,” Offensive’s Jim O’Gorman told me by email. “However, and this is actually common, they corrected the specific method of exploitation that was used in the initial proof-of-concept, but did not correct the underlying flaw. Because of this, it’s possible to bypass Yahoo’s new protections with only some slight modifications.” While he didn’t go into a lot of technical detail, he likened it to killing a couple of roaches, but not addressing the underlying environmental conditions that allow roaches to thrive in the first place.

And as I noted on Monday, this isn’t Yahoo’s first experience with XSS vulnerabilities. The Shahin video looked an awful lot like another XSS vulnerability about which Yahoo was told in November. Yahoo has since insisted they are not one and the same, but they certainly aren’t very different, either.

I’ve asked Yahoo for a comment on Offensive’s claims, but haven’t heard back yet.

Anyway, here’s Offensive’s demonstration, complete with some head-pounding techno.