UK’s Netcraft points out vulnerability of Yahoo’s HotJobs site

The UK’s network service firm Netcraft has warned Yahoo of a phishing flaw on its HotJobs site.

Phishing-based attacks on the site, due to the vulnerability, can provide an attacker access to Yahoo member’s mail and personal accounts. Netcraft reported that some attackers had already started taking advantage of the flaw on HotJob site.

In a phishing-based attack, a bogus email, masquerading as message from a company, is sent by the attacker. By clicking on specially formatted JavaScript code the website can be made to run a programme due to cross-site scripting vulnerability of the site.

According to Netcraft, authentication cookies sent to the yahoo.com domain are stolen by the script and passed on to a different website where details of stolen authentication are harvested by the attacker.

Yahoo has been informed of the latest attack by Netcraft. Yahoo informed that the vulnerability has been fixed.

Yahoo’s team was informed about cross-site scripting a day before and a fix was delivered within hours by Netcraft.

Yahoo appreciated Netcraft’s assistance in fixing the issue within a short time and urged users to change their passwords as a safety precaution. It also suggested users to always verify via the Sign-in Seal whether they were giving their passwords to Yahoo.com.

Segnala presso: