Researchers at Australia-based BitDefender say they’ve found how some Yahoo Mail accounts are being hijacked, and it leads back to “buggy” blog software Yahoo’s developers used.
The attack also relies on retrieving session cookies via a subdomain, which attackers were able to access by exploiting a 9-month-old Cross-Site Scripting flaw — CVE-2012-3414 — in the WordPress blog software used by Yahoo developers. That vulnerability was fixed when WordPress version 3.3.2 was released in April 2012.
“Since it is located on a sub-domain of the yahoo.com website, all the attackers need to do is trigger the bug and pass a command that steals the cookie, and then send it ‘home,’” according to the release. “At this point, miscreants have full access to the victim’s contact list until the current session expires or the user logs out. Crooks will either spam the contacts in the stolen lists (which may include friends, family, business contacts, and professors) or use these contacts to send spam e-mails and/or malware in the name of the crook.”
The company advises users to take the usual precautions: sign out when you’re done reading or writing e-mails, only click trustworthy links and keep up with antivirus updates and patches.