Risk: Low
Hackers may be able to gain access to Yahoo! email accounts by sending a malicious attachment. Nir Goldshlager and Roni Bahar from the Israeli security company Avnet conducted experiments sending malicious code attachments. They discovered that upon opening the malicious attachment, a new email account was opened and an email message was sent to that mailbox along with an HTML file with the malicious code as an attachment.
Opening the email in Internet Explorer undetectably sends the user's cookie to the hacker's server. The user is consequently exposed to the vulnerability without having to download or open the HTML file.
The hacker can then retrieve the cookie from the remote server and gain full access to the user's mail box, with no time limit. The hacker can read and send emails from the mailbox. Although a hacker could not change the password from within the mailbox because that action requires entering the original password, tools available online may be used to retrieve personal information from the cookie.
Yahoo's spokeswoman, Kelley Podboy, stated: "Online security issues such as this bug are taken very seriously at Yahoo! We have developed a fix and are in the process of deploying it worldwide. Yahoo! Mail users will not be required to take any action to be protected from this exploit."