SUNNYDALE, CA — Yahoo’s mail servers have been taking a beating lately. First from industry experts who’ve pointed out their unreliable delivery mechanisms and now by another security team that’s confirmed their vulnerability to hackers.Nir Goldshlager and Roni Bahar work for Israeli security company Avnet and according to them, it’s not that hard for hackers to gain entry to users of the search engine giant’s mailboxes.
The duo conducted a security experiment by opening a new Yahoo account and sending it a message with an infected HTML document as an attachment. Upon viewing the email within an Internet Explorer Web browser, the code instructed the new account to send its owner’s cookie to the hacker’s server, thus making the non-existent account holder’s system ripe for the picking — all without even needing to open the diseased doc. A hacker using such a method could retrieve the cookie at their leisure and then spend as much time as they want in their victim’s mailbox, sending and reading emails to their heart’s content.
On the plus side, such a hacker would not be able to change the victim’s Yahoo password, but locating and employing the right tools for further invasion are not difficult.
Kelley Podboy, a representative for Yahoo, says that such a “bug” is a serious matter for the company and assures users that “We have developed a fix and are in the process of deploying it worldwide. Yahoo! Mail users will not be required to take any action to be protected from this exploit.”
