Amidst cutting more than 1,500 jobs and seeing its third quarter net income tumbling down 64 percent from last year's, Yahoo (www.yahoo.com) is now facing a website vulnerability being used to steal Yahoo users' identities.
Web analytics firm Netcraft (www.netcraft.com) has announced that its Netcraft toolbar community has found a flaw on a Yahoo website that is being exploited to steal Yahoo users' authentication cookies, which can be used to gain access to Yahoo accounts, such as Yahoo Mail.
Cross-site scripting vulnerabilities can allow authenticated session data to be remotely accessed via cookie-stealing scripts, letting the attacker to use the same cookie values to hijack their victim's session without needing to log in. Netcraft advises administrators that this security flaw can usually be addressed by using HttpOnly cookies so scripts cannot gain access to cookies.
As with the HotJobs vulnerability and the current one, Netcraft said simply visiting the infected pages on yahoo.com can be enough for a victim to fall prey to a phishing attack. Netcraft has implemented protection for Netcraft Toolbar users from these attacks, which warns users of the Yahoo URLs containing cross-site scripting elements. Netcraft has also contacted Yahoo about this flaw, although they report that the HotJobs vulnerability and the cookie harvesting script are both still present.
By David Hamilton
No responsibility can be taken for the content of external internet sites.
Return to hosting news headlines
View Hosting News Archive