Add to del.icio.us     Digg this

October 28, 2008

Yahoo confirms it has repaired an important security hole on its website, a few hours after security firm Netcraft said that the flaw on its site was utilized in stealing users' authentication cookies to gain access to certain Yahoo accounts, such as Yahoo Mail.

According to a post from Netcraft's website, "the attack exploits a cross-site scripting vulnerability on Yahoo's HotJobs site at hotjobs.yahoo.com, which currently allows the attacker to inject obfuscated JavaScript into the affected page. The script then steals the authentication cookies that are sent for the yahoo.com domain and passes them on to a different website in the U.S., where the attacker is harvesting stolen authentication details."

For its part, Yahoo's HotJobs division stated that the cross-site scripting vulnerability found on Oct. 26 was rapidly fixed. "Our team was made aware of this particular Cross-Site Scripting issue yesterday morning (Sunday, Oct. 26) and a fix was deployed within a matter of hours," read the statement. "Yahoo appreciates Netcraft's assistance in identifying this issue."

Having assured its customers that it has successfully repaired the security flaw, Yahoo also suggested further precautions for its users worried about their account security. "As a safety precaution, we recommend customers change their passwords, should they still be concerned. Users should always verify via their Sign-In Seal that they are giving their passwords to Yahoo.com, and not to a third party."

"Sign-In Seal" is a secret message or image that users create to protect Yahoo users from phishing attacks. Users are shown the custom text or image when they are on a legitimate Yahoo page, making them quickly aware when they visit a fraudulent site.

The company has also created a website to continually educate users about online security. It is at (security.yahoo.com).

"Security is an industry-wide issue and one that Yahoo treats very seriously," read Yahoo's statement. "Our company considers users' security as a top priority and will continue to take serious action at how to effectively combat malicious behavior and protect its users from any kind of attack."

Add to del.icio.us     Digg this

Source: Yahoo.

Save Internet Security.ca's URL to the list of your favorite web sites in your Web browser by clicking here.

Become an authorized reseller of Proxy Sentinel™ and Firewall Sentinel™. Do like the rest of our authorized resellers and have your clients benefit the important security features of our products and solutions, while increasing your sales at the same time. Click here for all the details.

You can link to the Internet Security web site as much as you like. Read our section on how your company can participate in our reciprocal link exchange program and increase your rankings in the major search engines such as
Google and all the others.