The attackers gain access to the inboxes by sending emails containing malicious JavaScript code, according to tests conducted by Israeli security firm Avnet, which disclosed the flaw to Yahoo earlier this month.
Upon opening the malicious email, and without having to click on any links or attachments, users unknowingly send their cookies to the hacker's server. Hackers can then retrieve the cookie to gain access to the user's inbox, allowing them to send emails and steal passwords.
Yahoo fixed the flaw last week, and there have been no reported exploits, company spokesman Kelley Podboy said today in an e-mail.
"Online security issues are taken very seriously at Yahoo," she said. "We have developed a fix for this bug and have deployed it worldwide. Yahoo Mail users will not be required to take any action to be protected from this exploit."
In June, security researchers identified a worm that exploits a similar Yahoo web mail flaw. The worm spread to user's email contacts when he or she opened an infected email. The user did not have to click on any attachments.
Shortly after, Yahoo fixed the flaw, which infected a small number of people, as part of an automatic update for users.
