Yahoo's HotJobs site vulnerable to cross-site scripting attack

Updated on Tuesday, Oct. 28 at 11:58 a.m. EST

Internet research firm Netcraft's toolbar has detected a cross-site scripting bug in Yahoo that could be exploited to steal authentication cookies.

The flaw resides on Yahoo's HotJobs search engine site, on which hackers embedded malicious JavaScript code, Netcraft's Paul Mutton said in a blog post on Sunday.

"The script steals the authentication cookies that are sent for the Yahoo.com domain and passes them to a different website in the United States, where the attacker is harvesting stolen authentication details," Mutton wrote.

The pilfered credentials could enable the attackers access to the victims' Yahoo acounts, including email. This vulnerability is similar to another bug that affected Yahoo earlier this year, he said.

"Simply visiting the malign URLs on Yahoo.com can be enough for a victim to fall prey to the attacker, letting him steal the necessary session cookies to gain access to the victim's email — the victim does not even have to type in their username and password for the attacker to do this," Mutton wrote. "Both attacks send the victim to a blank webpage, leaving them unlikely to realize that their own account has just been compromised."

He said websites must protect cookie values. 

Netcraft notified Yahoo about the flaw.

Yahoo told SCMagazineUS.com that it fixed the flaw on Sunday and recommends that users change their passwords if they are concerned.

"Users should always verify via their Sign-in Seal that they are giving their passwords to Yahoo.com," the company said in a statement. "Yahoo considers users' security as a priority and continues to take a hard look at how to effectively combat malicious behavior and protect its users."