Apple's April 20 event COVID vaccines and blood clots DogeCoin Google Doodle honors Gutenberg Stimulus check status and plus-up money Child tax credit will be monthly

Report: Yahoo jobs site used in phishing attack

A vulnerability on Yahoo's HotJobs site is letting somebody steal authentication privileges from Yahoo users to gain access to their accounts, Netcraft says.

Yahoo's HotJobs site is vulnerable to a phishing-based attack that can give an attacker access to a Yahoo member's mail and other personal accounts, British network service firm Netcraft said Monday, and someone has been taking advantage of it.

In phishing, an attacker sends a bogus e-mail masquerading as a legitimate message from a company, in this case Yahoo HotJobs. Clicking on a link that includes specially formatted JavaScript code can cause the Web site to run a program because of a cross-site scripting vulnerability, Netcraft said.

"The script steals the authentication cookies that are sent for the domain and passes them to a different website in the United States, where the attacker is harvesting stolen authentication details," NetCraft said Monday. "Netcraft has informed Yahoo of the latest attack, although at the time of writing, the HotJobs vulnerability and the attacker's cookie harvesting script are both still present."

I'll update this post once Yahoo gets back to me with any comment.

Update 3:44 p.m. PDT: Yahoo acknowledged the vulnerability but said it's fixed now.

"The team was made aware of this particular cross-site scripting issue yesterday morning (Sunday, October 26) and a fix was deployed within a matter of hours. Yahoo appreciates Netcraft's assistance in identifying this issue," the company said in a statement. "As a safety precaution, we recommend users change their passwords, should they still be concerned. Users should always verify via their Sign-in Seal that they are giving their passwords to"

Yahoo wouldn't comment on how many people might have been affected.