Last week, Bitdefender experts detailed a cybercriminal scheme in which the attackers leveraged a cross-site scripting vulnerability present on the Yahoo! Developer Network Blog to steal user cookies and hijack sessions. Now, Yahoo! claims to have addressed the issues.The hackers sent out spam emails containing a link apparently pointing to an MSNBC article.
The cybercriminals utilized these session cookies to gain access to the victims’ accounts, which they used to send out more spam emails.
The Yahoo! blog was vulnerable because it utilized an outdated version of WordPress.
Yahoo! representatives have told PCWorld that the security hole has been addressed. The company urges customers who are concerned for the safety of their accounts to change their passwords and enable two-factor authentication.