It was just about a month ago that Yahoo finally rolled out HTTPS for Yahoo Mail, a security feature that other major e-mail providers have long been providing.
Yahoo has now plugged a hole that allowed hijacking of email accounts. The hackers were using a piece of JavaScript code that was exploiting a cross-site scripting (XSS) vulnerability in the Yahoo Developer Network Blog site, resulting in stealing visitors' Yahoo session cookies.
The vulnerability was discovered by BitDefender who reported it to Yahoo. Additional information about the vulnerability and how it worked is available at
Yahoo plugs hole that allowed hijacking of email accounts.
