The experts are warning Yahoo! email users that they could be targeted by criminals. A super-hacker said he had broken the code, and found a way to read emails and take over accounts - and he put it up for sale for $700.
So what does this mean for people with a Yahoo! email account, and what can they do?
The hackThe Egyptian Hacker calling himself TheHell says he has found a flaw in Yahoo! security, which means he can steal cookies, and then read all your emails and hijack your account. The hack works by sending users an email containing malicious code. If you click on it, it will run a script that steals cookies and other sensitive information on your browser.
He posted a video to an underground forum, which was discovered by undercover journalist Brian Krebs, who revealed all on his blog krebsonsecurity.com.
Krebs said that the hacker claimed: "I'm selling Yahoo! stored xss that steal Yahoo! emails cookies and works on ALL browsers." He added: "Prices around for such exploit is $1,100 – $1,500, while I offer it here for $700. Will sell only to trusted people cuz I don't want it to be patched soon!"
So what should users do?The good news is that Krebs has alerted Yahoo!, and reported that Ramses Martinez, director of security at Yahoo! said: "Fixing it is easy, most XSS are corrected by simple code change. Once we figure out the offending URL we can have new code deployed in a few hours at most." It means that by the time you read this, a patch may already be in place.
However, as Krebs said: "These types of vulnerabilities are a good reminder to be especially cautious about clicking links in emails from strangers or in messages that you were not expecting."
Lisa Vaas, a tech journalist who writes for Sophos blog, Naked Security, said that this hack took advantage of something called an XSS flaw. She explains: " XSS flaws happen when an application takes untrusted data and sends it to a browser without properly validating or encoding it. The flaws enable attackers to execute scripts in victim's browsers, which then hijack user sessions, deface web sites, or redirect a user to malicious sites."
Unfortunately, she adds, these flaws are not unusual. She quotes site xssed.com, which publishes details of flaws and when they are fixed. Some 22 of the top 25 are Yahoo pages - six of which hadn't been fixed at the time of writing.