A security researcher named Shahin Ramezany has developed a proof-of-concept for a cross-site scripting exploit which he claims more than 400 million Yahoo Mail users vulnerable to. This exploit could allow a hacker to take control of a user's account.

The vulnerability is a DOM-based XSS vulnerability which affects Yahoo! users on all current major browsers. Ramezany was able to take control of a test account using a malicously crafted link, a Chrome addon, a pen-testing platform, and social engineering within five minutes.

In this video Ramezany demonstrates the vulnerability:

In the video, the hacker sends a link to an externally hosted HTML file to his victim who then proceeds to open the link. The hacker logs the victim's cookies. Then the hacker uses these cookies to login to the victim's account.

Sources:
ThreadPost
ehackingnews.com