

How Yahoo allowed hackers to hijack my neighbor's e-mail account - Jaigus
http://arstechnica.com/security/2013/01/how-yahoo-allowed-hackers-to-hijack-my-neighbors-e-mail-account/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+arstechnica%2Findex+%28Ars+Technica+-+All+content%29

======
throwaway125
the gist of it seems to be that yahoo ran a vulnerable wordpress site that
allowed the attacker to run javascript from the yahoo domain, allowing them to
steal login cookies.

That makes me wonder, doesn't yahoo set the http only flag for their session
cookies? Is there any reason you may want javascript to access the session
cookie?

Suppose it's a good time for everyone to verify that their websites properly
set http only on any cookies you don't want to access via javascript.

------
pasbesoin
Off the top of my head and as anecdote, I've probably received the most spam
and/or malicious emails from friends compromised email accounts where those
accounts are Yahoo accounts. Hotmail would probably be second.

I usually go to the effort to call them up as soon as I can to inform them of
the compromise. I've started gently describing the problems with these
particular hosts; unfortunately, however, most don't go to the effort to make
a change. And several have been compromised multiple times.

