In a move that could have saved thousands of potential victims of identity theft, Yahoo techs have fixed a flaw in the online news and advertising company’s HotJobs Web site, one of the leading online job sites with thousands of subscribers.
The flaw, a cross-site scripting vulnerability, was discovered by Internet services company Netcraft, which notified Yahoo (NASDAQ: YHOO) about it on Sunday. Netcraft said it discovered a similar flaw on Yahoo’s ychat.help.yahoo.com site earlier this year.
In both cases, the attackers injected malicious JavaScript code, which attempted to steal visitors’ authentication cookies. The attackers could use the cookies to access their victims’ Yahoo e-mail accounts, and any other account that uses cookies for the Yahoo.com domain, Netcraft said.
JavaScript has a global object that experts have described as the root cause of all cross site scripting attacks. Together with SQL injection attacks, it comprises about 60 percent of all Web site attacks.
Malicious JavaScript can sit dormant in a victim’s browser settings and monitor his or her actions until the victim accesses an account that exposes his or her personal data, explained Ryan Barnett, director of application security at Breach Security. At that point, the script steals the personal or banking data and transmits it back to the attacker’s Web site.
Hackers are also keeping up with the times. “JavaScript the hackers are trying to inject into databases has been updated to have a better chance of uploading into users’ browser headers,” Barnett told InternetNews.com.
But that isn’t necessary if someone wants to get unauthorized access to a Yahoo Mail account, as the hacking of vice presidential candidate Governor Sarah Palin’s Yahoo Mail account showed.
In a statement e-mailed to InternetNews.com, Yahoo said the HotJobs site flaw was fixed within a matter of hours. Yahoo recommended that users change their Yahoo passwords just to be safe.
Yahoo keeps its eyes peeled
Yahoo spokesperson Emily Fox told InternetNews.com the company followed its existing procedures for defending its network from attack. The portal is constantly on the lookout to prevent this sort of thing from happening, she added.
That might entail auditing both the code and the applications, said Dave Marcus, McAfee’s director of security research and communications. Any mistakes made during the examination may lead to the site being taken over by hackers and being used to distribute malware, he added.
Yahoo offers a guide to online security here. It also has a link here for consumers to report scams.
“Security is an industry-wide issue and one that Yahoo treats seriously,” the company said. “Yahoo considers users’ security as a priority and continues to take a hard look at how to effectively combat malicious behavior and protect its users.”