Yahoo's HotJobs site vulnerable to cross-site scripting attack

Internet research firm Netcraft said it has detected a cross-site scripting vulnerability on Yahoo that could be used to hijack authentication cookies.

The flaw resides on Yahoo's HotJobs search engine site, on which hackers embedded malicious JavaScript code, Netcraft's Paul Mutton said.

"The script steals the authentication cookies that are sent for the Yahoo.com domain and passes them to a different website in the United States, where the attacker is harvesting stolen authentication details," Mutton wrote.

The pilfered credentials could enable the attackers access to the victims' Yahoo acounts, including email. This vulnerability is similar to another bug that affected Yahoo earlier this year, he said.

"Simply visiting the malign URLs on Yahoo.com can be enough for a victim to fall prey to the attacker, letting him steal the necessary session cookies to gain access to the victim's email — the victim does not even have to type in their username and password for the attacker to do this," Mutton wrote. "Both attacks send the victim to a blank webpage, leaving them unlikely to realise that their own account has just been compromised."

He said websites must protect cookie values.

Netcraft notified Yahoo about the flaw.

A Yahoo spokeswoman could not be reached for comment on Monday.

See original article on scmagazineus.com