>> I continue to strongly contest the idea that I may have clicked on any link embedded in my yahoo email
You are not alone in that - other people have also reported the same.
-----
Ive just tracked down the code again. Yes it is a DOM based XSS attack, which is taking its information from the session cookie.
The authors comments are interesting about the
Yahoo library being vulnerable, as you will see as you read through the document, Yahoo keep applying patches thinking theyve fixed it , but further exploits continue to be found within other parts of the Yahoo library.
Something to note that in
step III - Exploiting the vulnerability that although Abyssec's code specifically shows a click being required, there is mention of a method of triggering the exploit
"without even [requiring] a click" by the user.
The more recent hack attempts will likely be based on his code, but with a few tweaks. What concerns me and what I dont know enough about is his reference to adspecs.yahoo.com. His code is showing the opening of a new window to adspecs which is where the info is being stolen from.
Could new and more sophisticated code be implemented which shows an ad from a bad source and doesnt require user interaction. Im really out of my depth now and know stuff all about adspecs, but what if one of the
third party advertisers adverts contained rogue code.
The above is certainly not beyond the realms of possibility because Zynga had a hack attempt about 3 yrs ago that came via a rogue advertiser XSS script. Most of those attempts were caught because of browser cross frame scripting. But adspecs uses the same TLD, and the Abyssec code specifically mentions the avoidance of this problem.
If ads are rotated or targeted, it wouldnt catch all users, but surely it would still net quite a few accounts!
Is someone is clever enough to piece everything together and write the code for it? Yahoo's history of security seems to be 'close the stable door after the horse has bolted' and only patch holes rather than plug them beforehand. Their attitude seems to be denial that it happened rather than checking for more open doors.