Yahoo HotJobs site vulnerable to cross-site scripting attack

Internet research firm Netcraft's toolbar has detected a cross-site scripting bug in Yahoo that could be exploited to steal authentication cookies.

The flaw resides on Yahoo's HotJobs search engine site, on which hackers embedded malicious JavaScript code, Netcraft's Paul Mutton said in a blog post on Sunday.

"The script steals the authentication cookies that are sent for the Yahoo.com domain and passes them to a different website in the United States, where the attacker is harvesting stolen authentication details," Mutton wrote. The pilfered credentials could enable the attackers access to the victims' Yahoo acounts, including email. This vulnerability is similar to another bug that affected Yahoo earlier this year, he said.