Netcraft warns of phishing flaw on Yahoo HotJobs
Published: 28 Oct 2008 08:23 GMT
Yahoo's HotJobs site is vulnerable to a phishing-based attack that can give an attacker access to a Yahoo member's mail and other personal accounts, UK network service firm Netcraft said on Monday, and someone has been taking advantage of it.
In phishing, an attacker sends a bogus email masquerading as a legitimate message from a company, in this case Yahoo HotJobs. Clicking on a link that includes specially formatted JavaScript code can cause the website to run a program because of a cross-site scripting vulnerability, Netcraft said.
"The script steals the authentication cookies that are sent for the yahoo.com domain and passes them to a different website in the US, where the attacker is harvesting stolen authentication details," NetCraft said on Monday. "Netcraft has informed Yahoo of the latest attack, although at the time of writing, the HotJobs vulnerability and the attacker's cookie harvesting script are both still present."
Yahoo acknowledged the vulnerability but said it's fixed now.
"The team was made aware of this particular cross-site scripting issue yesterday morning (Sunday, 26 October) and a fix was deployed within a matter of hours. Yahoo appreciates Netcraft's assistance in identifying this issue," the company said in a statement. "As a safety precaution, we recommend users change their passwords, should they still be concerned. Users should always verify via their Sign-in Seal that they are giving their passwords to Yahoo.com."
Yahoo wouldn't comment on how many people might have been affected.
Did you find this article useful?
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
