Users of Yahoo’s mail service are warned that a vulnerability in the service could be allowing hackers to easily access their accounts and steal their information.
Director of application security research at Breach Security Corp, Ryan Barnett, said that the problem starts with a web application that is designed to automate the login process for the service. Unfortunately the application does not adhere to the same security checks that the login page itself uses creating what Barnett describes as “some sort of water tunnel that the bad guys are walking right through.”
Hackers are using the application to carry out brute force attacks on user accounts, which is not being registered and blocked as most pages would do so.
Backend applications are a key factor in the increasing success of account hijacking cases targeting social networks and portal sites. Once hacked, the accounts can be used to send out spam and malware, or hackers may also choose to use the account details to try to access banking accounts, as many people use the same or similar passwords on multiple accounts.
Yahoo is said to be investigating.