X

Report: Yahoo jobs site used in phishing attack

A vulnerability on Yahoo's HotJobs site is letting somebody steal authentication privileges from Yahoo users to gain access to their accounts, Netcraft says.

Stephen Shankland Former Principal Writer
Stephen Shankland worked at CNET from 1998 to 2024 and wrote about processors, digital photography, AI, quantum computing, computer science, materials science, supercomputers, drones, browsers, 3D printing, USB, and new computing technology in general. He has a soft spot in his heart for standards groups and I/O interfaces. His first big scoop was about radioactive cat poop.
Expertise Processors, semiconductors, web browsers, quantum computing, supercomputers, AI, 3D printing, drones, computer science, physics, programming, materials science, USB, UWB, Android, digital photography, science. Credentials
  • Shankland covered the tech industry for more than 25 years and was a science writer for five years before that. He has deep expertise in microprocessors, digital photography, computer hardware and software, internet standards, web technology, and more.
See full bio
Stephen Shankland
2 min read

Yahoo's HotJobs site is vulnerable to a phishing-based attack that can give an attacker access to a Yahoo member's mail and other personal accounts, British network service firm Netcraft said Monday, and someone has been taking advantage of it.

In phishing, an attacker sends a bogus e-mail masquerading as a legitimate message from a company, in this case Yahoo HotJobs. Clicking on a link that includes specially formatted JavaScript code can cause the Web site to run a program because of a cross-site scripting vulnerability, Netcraft said.

"The script steals the authentication cookies that are sent for the yahoo.com domain and passes them to a different website in the United States, where the attacker is harvesting stolen authentication details," NetCraft said Monday. "Netcraft has informed Yahoo of the latest attack, although at the time of writing, the HotJobs vulnerability and the attacker's cookie harvesting script are both still present."

I'll update this post once Yahoo gets back to me with any comment.

Update 3:44 p.m. PDT: Yahoo acknowledged the vulnerability but said it's fixed now.

"The team was made aware of this particular cross-site scripting issue yesterday morning (Sunday, October 26) and a fix was deployed within a matter of hours. Yahoo appreciates Netcraft's assistance in identifying this issue," the company said in a statement. "As a safety precaution, we recommend users change their passwords, should they still be concerned. Users should always verify via their Sign-in Seal that they are giving their passwords to Yahoo.com."

Yahoo wouldn't comment on how many people might have been affected.