Yahoo Mail users warned of brute force attacks

Yahoo Mail users could find their accounts under attack

Yahoo Mail users are being warned that a two-year-old hole in the service could be allowing hackers to gain easy access to their accounts, according to new reports.

Ryan Barnett, director of application security research at Breach Security, said the problem stems from a web application that automates the log-in procedure for the popular webmail service, according to a report in The Register.

However, this web app crucially fails to adhere to the same security checks normally followed by the usual log-in page, enabling "some sort of water tunnel that the bad guys are walking right through”, Barnett is reported as saying.

Hackers are therefore using the unsecure web app to carry out brute force attacks on user passwords – a process whereby they try all possible combinations of letter and numbers to crack the password, and gain entry to the account.

Other security experts are reported as saying that this new revelation confirms what many have suspected for a while – backend applications are a key factor in the increasing success of account hijacking cases targeting all social networks and portal sites.

Once hacked, the accounts can be used to send out spam and malware that stand a better chance of bypassing traditional filters.

Hackers may also choose to use the account details to try to access banking accounts, as many people use the same or similar passwords on multiple accounts.

Yahoo is understood to be investigating the vulnerability.