Earlier in the year, a security issue saw Yahoo users lose control of their accounts. While the attack relied on customers clicking on a link to a malicious site, it was unknown how attackers were able to retrieve the session cookies required, since the site was not on a Yahoo domain.
According to Bitdefender, however, attackers used a flaw in blogging software WordPress, which was patched in April 2012, eight months prior. The WordPress blog that enabled the attack was Yahoo's own developer network site, which resides on the developer.yahoo.com domain. This meant that upon compromising it, hackers were able to access session cookies for the yahoo.com domain, and then send them back to themselves.
Attackers first created a bogus news site based off the MSN/NBC News network and hosted it on at least two domains: com-im9.net and com-io4.net. Due to the appearance of the URLs, unsuspecting users were presented with a URL in the form similar to www.msnbc.msn.com-im9.net, which at first glance may appear to be legitimate content on the msn.com domain.
This upload feature was previously identified by Neal Poole and Nathan Partlan as containing a cross-site scripting flaw. They informed WordPress, and it was subsequently patched in version 3.2.2 released in April, marked as a security update.
Despite the availability of a patch, a security researcher from Websecurity, calling themself MustLive, began to notice that the vulnerability was being exploited in the wild in November 2012.
Using the flaw, attackers were able to send, from the Yahoo.com domain, the user's session cookie to its own "beacon" site on com-io4.net and harvest details. By replacing their own cookies with the victims', the attackers were able to steal the active log-in session and take control of the account. Yahoo's WordPress installation appears to have now been patched.
Although the user's password is never obtained by the attacker, and nor can it be changed, it does open up the potential to compromise the victim's other accounts. Theoretically, by reading existing emails, an attacker could quickly determine what other accounts the email may be tied to, such as social-media sites. With this information, they could then request a password reset and take control of the account.
Yahoo did not respond to ZDNet's request to comment.