Yahoo plugs another web mail hole

By

Yahoo has fixed a vulnerability in its web mail service that, if exploited, could allow hackers access to users' mailboxes.

The attackers gain access to the inboxes by sending emails containing malicious JavaScript code, according to tests conducted by Israeli security firm Avnet, which disclosed the flaw to Yahoo earlier this month.


Upon opening the malicious email, and without having to click on any links or attachments, users unknowingly send their cookies to the hacker's server. Hackers can then retrieve the cookie to gain access to the user's inbox, allowing them to send emails and steal passwords.

Yahoo fixed the flaw last week, and there have been no reported exploits, company spokesman Kelley Podboy said today in an e-mail.

"Online security issues are taken very seriously at Yahoo," she said. "We have developed a fix for this bug and have deployed it worldwide.  Yahoo Mail users will not be required to take any action to be protected from this exploit."

In June, security researchers identified a worm that exploits a similar Yahoo web mail flaw. The worm spread to user's email contacts when he or she opened an infected email. The user did not have to click on any attachments.

Shortly after, Yahoo fixed the flaw, which infected a small number of people, as part of an automatic update for users.

 

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition
Tags:

Most Read Articles

Qantas facing 'significant' data theft after cyber attack

Qantas facing 'significant' data theft after cyber attack

Home Affairs officer accessed data on "friends and associates"

Home Affairs officer accessed data on "friends and associates"

International Criminal Court hit by cyber attack

International Criminal Court hit by cyber attack

Ex-student charged over Western Sydney University cyberattacks

Ex-student charged over Western Sydney University cyberattacks

Log In

  |  Forgot your password?