Yahoo! has fixed a cross-site scripting vulnerability affecting the HotJobs website. The vulnerability, first reported by Netcraft allowed injection of malicious code that stole session authentication cookie of Yahoo! users and submitting them to a US-based webserver. Yahoo!’s statement found on Netcraft states:

The team was made aware of this particular Cross-Site Scripting issue yesterday morning (Sunday, Oct. 26) and a fix was deployed within a matter of hours. Yahoo! appreciates Netcraft’s assistance in identifying this issue.

As a safety precaution, we recommend users change their passwords, should they still be concerned. Users should always verify via their Sign-in Seal that they are giving their passwords to Yahoo.com.

The session authentication cookies could have been used for accessing Yahoo! services such as Yahoo! Mail and Yahoo! HotJobs amongst others.

Share / Save