Hole in Yahoo! surrenders keys to the kingdom
Attack of the killer XSS
Yahoo! has closed a gaping hole that attackers were exploiting to gain access to victims' Yahoo Mail accounts and other restricted areas of site.
"I guess the beautiful bit about it from an attacker's viewpoint is quite a lot of people would be unaware of what's happened" after accessing a booby-trapped hotjobs URL, said Paul Mutton, an internet services developer for Netcraft who helped discover the exploit. "Not many people will think of changing their password after that happens."
To Yahoo's credit, Mutton said the XSS error was closed within hours of him reporting it to Yahoo's security team. But the episode is a reminder that even the biggest sites can be needlessly sloppy when it comes to handling authentication cookies. The attack would have been impossible to carry out had Yahoo bothered to use http-only cookies.
Yahoo is hardly alone here. Last month, bankofamerica.com, register.com, netflix.com and dozens of other big name sites were caught transmitting credentials that are vulnerable to a new tool called CookieMonster. That attack is neutered when sites use https-only cookies.
A Yahoo spokeswoman thanked Netcraft for help identifying the problem. She reminded users of the importance of resetting passwords. That's a sensible precaution, but it would have done nothing to protect users against this attack.
At time of writing, the blank page remained up and running. It's unknown if it's being used to attack other websites. Netcraft's report is here. ®