Ongoing Phishing Attack Exposes Yahoo Accounts
26th October, 2008
Update 2008-10-28: The attack is no longer ongoing. Yahoo has provided us with the following in a statement:
The team was made aware of this particular Cross-Site Scripting issue yesterday morning (Sunday, Oct. 26) and a fix was deployed within a matter of hours. Yahoo! appreciates Netcraft's assistance in identifying this issue.
As a safety precaution, we recommend users change their passwords, should they still be concerned. Users should always verify via their Sign-in Seal that they are giving their passwords to Yahoo.com.
Our original article follows:
The Netcraft toolbar community has detected a vulnerability on a Yahoo website, which (at the time of writing) is currently being used to steal authentication cookies from Yahoo users — transmitting them to a website under the control of a remote attacker. With these stolen details, the attacker can gain access to his victims' Yahoo accounts, such as Yahoo Mail.
The small cookie-stealing script injected by the attacker.
A similar technique employed by the current attack.
Simply visiting the malign URLs on yahoo.com can be enough for a victim to fall prey to the attacker, letting him steal the necessary session cookies to gain access to the victim's email — the victim does not even have to type in their username and password for the attacker to do this. Both attacks send the victim to a blank webpage, leaving them unlikely to realise that their own account has just been compromised.
Both attacks send victims to a innocuous-looking, blank webpage.
The Netcraft Toolbar protects users against both of these attacks, warning that the malformed Yahoo URLs contain cross-site scripting elements, and that the URLs have been classified as known phishing sites.
Netcraft has informed Yahoo of the latest attack, although at the time of writing, the HotJobs vulnerability and the attacker's cookie harvesting script are both still present.