(See update below for statement from Yahoo).
Malicious hackers are exploiting a cross-site scripting flaw on Yahoo's HotJobs site to phish for Yahoo credentials, according to a warning from Netcraft.
The stolen authentication cookies are then passed to a different web site in the United States, where the attacker is harvesting stolen authentication details.
- Simply visiting the malign URLs on yahoo.com can be enough for a victim to fall prey to the attacker, letting him steal the necessary session cookies to gain access to the victim's email -- the victim does not even have to type in their username and password for the attacker to do this. Both attacks send the victim to a blank webpage, leaving them unlikely to realise that their own account has just been compromised.
Netcraft said it notified Yahoo of the latest attack but warned that the HotJobs vulnerability and the attacker's cookie harvesting script are both still present at the vulnerable site.
UPDATE: Yahoo e-mailed the following in response to this story:
The team was made aware of this particular Cross-Site Scripting issue yesterday morning (Sunday, Oct. 26) and a fix was deployed within a matter of hours. Yahoo! appreciates Netcraft's assistance in identifying this issue.
As a safety precaution, we recommend users change their passwords, should they still be concerned. Users should always verify via their Sign-in Seal that they are giving their passwords to Yahoo.com.