Report: Yahoo jobs site used in phishing attack

Yahoo's HotJobs site is vulnerable to a phishing-based attack that can give an attacker access to a Yahoo member's mail and other personal accounts, British network service firm Netcraft said Monday, and someone has been taking advantage of it.

In phishing, an attacker sends a bogus e-mail masquerading as a legitimate message from a company, in this case Yahoo HotJobs. Clicking on a link that includes specially formatted JavaScript code can cause the Web site to run a program because of a cross-site scripting vulnerability, Netcraft said.

"The script steals the authentication cookies that are sent for the yahoo.com domain and passes them to a different website in the United States, where the attacker is harvesting stolen authentication details," NetCraft said Monday. "Netcraft has informed Yahoo of the latest attack, although at the time of writing, the HotJobs vulnerability and the attacker's cookie harvesting script are both still present."

I'll update this post once Yahoo gets back to me with any comment.

Update 3:44 p.m. PDT: Yahoo acknowledged the vulnerability but said it's fixed now.

"The team was made aware of this particular cross-site scripting issue yesterday morning (Sunday, October 26) and a fix was deployed within a matter of hours. Yahoo appreciates Netcraft's assistance in identifying this issue," the company said in a statement. "As a safety precaution, we recommend users change their passwords, should they still be concerned. Users should always verify via their Sign-in Seal that they are giving their passwords to Yahoo.com."

Yahoo wouldn't comment on how many people might have been affected.