/>
X
Innovation

HotJobs site flaw leads to Yahoo account theft

(See update below for statement from Yahoo).Malicious hackers are exploiting a cross-site scripting flaw on Yahoo's HotJobs site to phish for Yahoo credentials, according to a warning from Netcraft.
Written by Ryan Naraine, Contributor on
Phishing for Yahoo accounts
(See update below for statement from Yahoo).

Malicious hackers are exploiting a cross-site scripting flaw on Yahoo's HotJobs site to phish for Yahoo credentials, according to a warning from Netcraft.

In the ongoing attack, Netcraft discovered that the vulnerability allows the attacker to inject obfuscated JavaScript into the affected page to steal authentication cookies that are sent for the yahoo.com domain.

The stolen authentication cookies are then passed to a different web site in the United States, where the attacker is harvesting stolen authentication details.

  • Simply visiting the malign URLs on yahoo.com can be enough for a victim to fall prey to the attacker, letting him steal the necessary session cookies to gain access to the victim's email -- the victim does not even have to type in their username and password for the attacker to do this. Both attacks send the victim to a blank webpage, leaving them unlikely to realise that their own account has just been compromised.

Netcraft said it notified Yahoo of the latest attack but warned that the HotJobs vulnerability and the attacker's cookie harvesting script are both still present at the vulnerable site.

UPDATE:  Yahoo e-mailed the following in response to this story:

The team was made aware of this particular Cross-Site Scripting issue yesterday morning (Sunday, Oct. 26) and a fix was deployed within a matter of hours. Yahoo! appreciates Netcraft's assistance in identifying this issue.

As a safety precaution, we recommend users change their passwords, should they still be concerned. Users should always verify via their Sign-in Seal that they are giving their passwords to Yahoo.com.

Editorial standards

Related

The 16 best Cyber Monday deals under $30 still available
Amazon Fire TV Stick 4K

The 16 best Cyber Monday deals under $30 still available

Apple names the 16 best apps and games of 2022, with BeReal taking top honors
App Store icon

Apple names the 16 best apps and games of 2022, with BeReal taking top honors

Don't miss the 98 best Cyber Monday deals still available now
Large white Cyber Monday text with electronics behind it

Don't miss the 98 best Cyber Monday deals still available now