Yahoo Mail to offer HTTPS after security vulnerability found
Secure session encryption now offered for webmail service, but XSS hijack risk remains
Yahoo is offering users of its webmail service HTTPS encryption, closing a loophole that left their data open to hackers.
The new layer of encryption has been welcomed by the security community, but it is not enabled by default, requiring users to switch on HTTPS manually.
The search giant is a latecomer to HTTPS, which has been offered by competitor services Hotmail (now Outlook.com) and Gmail, as well as social networking sites Facebook and Twitter for a number of years.
While login authentication has always been encrypted, the data exchanged during a browser session has not been until now, which left users vulnerable to eavesdropping.
While this particular security hole has been plugged, another vulnerability in the webmail service remains, according to researchers.
Yahoo claimed on 7 January to have patched a cross-site scripting (XSS) hole that led to accounts being hijacked when users clicked a malicious link.
A proof of concept video was posted to YouTube on 6 January by hacker-come-security-researcher Shahin Ramezany, to which the firm responded with a patch that Ramezany later claimed was ineffective.
Working with Ramezany, security researchers at Offensive Security claim to have ‘tweaked’ the original code, which would allow hackers to continue unhindered.
“Yahoo mail users should be on guard against clicking any links for the foreseeable future. Due to the nature of the vulnerability, XSS filters and similar protections provide little defence against this attack,” said Offensive Security.
A Yahoo spokesperson told Cloud Pro: "The cross-site scripting vulnerability that we identified on Friday was fixed the same day. We can confirm that we have now fixed the vulnerability on all versions of the site."