Yahoo's HotJobs site vulnerable to cross-site scripting attack

Share this article:

Updated on Tuesday, Oct. 28 at 11:58 a.m. EST

Internet research firm Netcraft's toolbar has detected a cross-site scripting bug in Yahoo that could be exploited to steal authentication cookies.

The flaw resides on Yahoo's HotJobs search engine site, on which hackers embedded malicious JavaScript code, Netcraft's Paul Mutton said in a blog post on Sunday.

"The script steals the authentication cookies that are sent for the Yahoo.com domain and passes them to a different website in the United States, where the attacker is harvesting stolen authentication details," Mutton wrote.

The pilfered credentials could enable the attackers access to the victims' Yahoo acounts, including email. This vulnerability is similar to another bug that affected Yahoo earlier this year, he said.

"Simply visiting the malign URLs on Yahoo.com can be enough for a victim to fall prey to the attacker, letting him steal the necessary session cookies to gain access to the victim's email — the victim does not even have to type in their username and password for the attacker to do this," Mutton wrote. "Both attacks send the victim to a blank webpage, leaving them unlikely to realize that their own account has just been compromised."

He said websites must protect cookie values. 

Netcraft notified Yahoo about the flaw.

Yahoo told SCMagazineUS.com that it fixed the flaw on Sunday and recommends that users change their passwords if they are concerned.

"Users should always verify via their Sign-in Seal that they are giving their passwords to Yahoo.com," the company said in a statement. "Yahoo considers users' security as a priority and continues to take a hard look at how to effectively combat malicious behavior and protect its users."

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Beazley: employee errors root of most data breaches, but malware incidents cost ...

Insurance firm Beazley analyzed more than 1,500 data breaches it serviced between 2013 and 2014.

Apple issues seven updates, fixes more than 40 vulnerabilities in iOS 8, OS 10.9.5

Apple issues seven updates, fixes more than 40 ...

In one of its infrequent "Update Surprisedays," Apple plugged holes, boosted security and added features.

Canadian telecom co. Telus unveils first transparency report

The company received more than 100,000 government requests for customer data last year.