Security researchers say a patch released by Yahoo earlier this week for a serious email vulnerability did not fix the problem, leaving users at risk. The cross-site scripting flaw was found by Shahin Ramezany, who goes by the nickname "Abysssec." The vulnerability can allow an attacker to harvest a victim's cookie for their Yahoo account if the victim is successfully tricked into clicking on a malicious link.