demonstrated how a single click on a malicious link could instantly swap out a Dreamhost account owner’s email address for one that an attacker uses, allowing Yibela — or an attacker — to send a password reset code to be sent to the email of the attacker, permitting an account takeover.

Read full news article on TechCrunch