October 27th, 2008
HotJobs site flaw leads to Yahoo account theft
(See update below for statement from Yahoo).
Malicious hackers are exploiting a cross-site scripting flaw on Yahoo’s HotJobs site to phish for Yahoo credentials, according to a warning from Netcraft.
In the ongoing attack, Netcraft discovered that the vulnerability allows the attacker to inject obfuscated JavaScript into the affected page to steal authentication cookies that are sent for the yahoo.com domain.
The stolen authentication cookies are then passed to a different web site in the United States, where the attacker is harvesting stolen authentication details.
- Simply visiting the malign URLs on yahoo.com can be enough for a victim to fall prey to the attacker, letting him steal the necessary session cookies to gain access to the victim’s email — the victim does not even have to type in their username and password for the attacker to do this. Both attacks send the victim to a blank webpage, leaving them unlikely to realise that their own account has just been compromised.
Netcraft said it notified Yahoo of the latest attack but warned that the HotJobs vulnerability and the attacker’s cookie harvesting script are both still present at the vulnerable site.
UPDATE: Yahoo e-mailed the following in response to this story:
The team was made aware of this particular Cross-Site Scripting issue yesterday morning (Sunday, Oct. 26) and a fix was deployed within a matter of hours. Yahoo! appreciates Netcraft’s assistance in identifying this issue.
As a safety precaution, we recommend users change their passwords, should they still be concerned. Users should always verify via their Sign-in Seal that they are giving their passwords to Yahoo.com.
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
