A flaw has been detected in Yahoo! that lets an attacker take control of a user’s account which includes access to his or her emails.

“I guess the beautiful bit about it from an attacker’s viewpoint is quite a lot of people would be unaware of what’s happened. Not many people will think of changing their password after that happens,” said an internet services developer for Netcraft.

The flaw existed in hotjobs.yahoo.com. It is a cross site scripting error (XSS) and attackers can take advantage of the flaw by injecting a javascript into a page which is used to authenticate Yahoo! users.

Source: The Register