Corrine Administrator, Microsoft MVP, Security Analyst Staff member Joined Feb 22, 2012 Posts 12,295 Location Upstate, NY Feb 4, 2013 #1 It was just about a month ago that Yahoo finally rolled out HTTPS for Yahoo Mail, a security feature that other major e-mail providers have long been providing. Yahoo has now plugged a hole that allowed hijacking of email accounts. The hackers were using a piece of JavaScript code that was exploiting a cross-site scripting (XSS) vulnerability in the Yahoo Developer Network Blog site, resulting in stealing visitors' Yahoo session cookies. The vulnerability was discovered by BitDefender who reported it to Yahoo. Additional information about the vulnerability and how it worked is available at Yahoo plugs hole that allowed hijacking of email accounts.
It was just about a month ago that Yahoo finally rolled out HTTPS for Yahoo Mail, a security feature that other major e-mail providers have long been providing. Yahoo has now plugged a hole that allowed hijacking of email accounts. The hackers were using a piece of JavaScript code that was exploiting a cross-site scripting (XSS) vulnerability in the Yahoo Developer Network Blog site, resulting in stealing visitors' Yahoo session cookies. The vulnerability was discovered by BitDefender who reported it to Yahoo. Additional information about the vulnerability and how it worked is available at Yahoo plugs hole that allowed hijacking of email accounts.