Yahoo has finally given customers what Facebook, Gmail and Twitter users have had for years: the option to always enable HTTPS secure, encrypted browsing for all their Yahoo Mail activities.
“We’re really happy that Yahoo! is starting 2013 right by letting Yahoo! Mail users use HTTPS to access their e-mail accounts securely,” the Electronic Frontier Foundation’s Seth Schoen said in a blog posting Monday.
The EFF has long advocated HTTPS encryption for all communications, and even sent a letter in November to new Yahoo chief executive officer Marissa Mayer asking for its implementation in Yahoo services.
HTTPS is not enabled by default in Yahoo Mail, but users can quickly turn on the new feature by going to their Mail Options screen, choosing “General” and selecting “Turn on SSL.”
Close one door, and another opens
Unfortunately, HTTPS won’t stop every malicious attack, as a security researcher in the United Arab Emirates demonstrated Jan. 6.
Shahin Ramezany posted a YouTube video demonstrating a cross-site-scripting (XSS) flaw that allowed anyone with the right code and technical knowledge to access strangers’ Yahoo accounts.
Using professional debugging tools and special code that he said he won’t reveal until the flaw is fully patched, Ramezany showed that user cookies could be captured by a malicious website, then transferred from one Yahoo user to another, giving the second user access to the first’s account.
(Ramezany said on his Twitter feed that he had given Yahoo full details before posting the video.)
The exploit seems very similar to one that we reported on in November and which was being sold in underground online bazaars for $700. At that time, Yahoo was said to be working on a patch.
The Next Web tech blog suggested that Ramezany’s video was linked to what the blog perceived as a rash of break-ins to Yahoo Mail accounts beginning Sunday evening.
The Next Web’s evidence — complaints on Twitter from Yahoo users whose accounts had been hacked — was circumstantial at best. Twitter searches for “Yahoo hacked” will return results on almost any given day.
Fixed or not?
Tuesday, Yahoo told The Next Web that the flaw demonstrated by Ramezany had indeed been fixed.
Ramezany disputed that.
“Yahoo! patched the vulnerability but patch was not effective enough and users are still in risk,” he tweeted, pointing to a blog posting with a video that showed the exploit still working.
Yahoo Mail users can protect themselves, at least to some degree, from the XSS exploit by running robust anti-virus software that screens websites for malicious content. (That applies to Mac, iOS, Android and Linux users as well, since XSS flaws don’t discriminate among user platforms.)
To be truly sure, avoid clicking on unknown links in Yahoo Mail messages until the flaw is fully patched.