Yahoo Mail users are being warned that a two-year-old hole in the service could be allowing hackers to gain easy access to their accounts, according to new reports.
Ryan Barnett, director of application security research at Breach Security, said the problem stems from a web application which automates the log-in procedure for the popular webmail service, according to a report in The Register.
However, this web app crucially fails to adhere to the same security checks normally followed by the usual log-in page, enabling "some sort of water tunnel that the bad guys are walking right through”, Barnett is quoted as saying.
Hackers are therefore using the unsecure web app to carry out brute force attacks on user passwords; a process whereby they try all possible combinations of letter and numbers in order to crack the password, and gain entry to the account.
Other security experts are reported as saying that this new revelation confirms what many have suspected for a while: that back-end applications are a key factor in the increasing success of account hijacking cases targeting all social networks and portal sites.
Once hacked, the accounts can be used to send out spam and malware, aiding the hackers cause, as opposed to spam they stand a better chance of bypassing traditional filters.
Hackers may also choose to use the account details to try and access banking or other more lucrative accounts, as many people use the same or similar passwords on multiple accounts.
Yahoo is understood to be investigating the vulnerability.
