Yahoo! Fixes XSS Vulnerability Leveraged by Hackers to Hijack Accounts

The security hole existed because the company used an outdated version of WordPress

  Yahoo! fixes XSS vulnerability in Developer Network Blog
Last week, Bitdefender experts detailed a cybercriminal scheme in which the attackers leveraged a cross-site scripting vulnerability present on the Yahoo! Developer Network Blog to steal user cookies and hijack sessions. Now, Yahoo! claims to have addressed the issues.

Last week, Bitdefender experts detailed a cybercriminal scheme in which the attackers leveraged a cross-site scripting vulnerability present on the Yahoo! Developer Network Blog to steal user cookies and hijack sessions. Now, Yahoo! claims to have addressed the issues.

The hackers sent out spam emails containing a link apparently pointing to an MSNBC article.

Users who clicked on the link were directed to a JavaScript which exploited the flaw in the Yahoo! Developer Network Blog in order to steal authentication cookies.

The cybercriminals utilized these session cookies to gain access to the victims’ accounts, which they used to send out more spam emails.

The Yahoo! blog was vulnerable because it utilized an outdated version of WordPress.

Yahoo! representatives have told PCWorld that the security hole has been addressed. The company urges customers who are concerned for the safety of their accounts to change their passwords and enable two-factor authentication.

1 Comment