- V3 Apps
It is currently unclear whether the exploit will work, though numerous security vendors, including Trend Micro security director Rik Ferguson, have indicated TheHell's claims could be legitimate.
"We discovered something very similar in Hotmail not too long ago," Ferguson told V3.
"How serious could it be? Well considering how interlinked our online services are, and how the email account is often at the heart of our web of existence it's like handing over the keys to your online identity."
F-Secure security researcher Sean Sullivan added that if legitimate, the exploit could prove the next hot item on the online black market.
"It certainly isn't a good thing that an active session cookie can be stolen or hijacked. But then, that's why I typically log off and purge my browser's cache at the end of the day. Also, it's why I ‘browse' with one browser (system default) and ‘logon' with another. I can see this type of attack being very useful for a select audience," Sullivan told V3.
Imperva chief technology officer Amichai Shulman highlighted the problem as systematic of wider problems within the security industry.
"The main issue here is not Yahoo specific but rather regarding such vulnerabilities as XSS - organisations should realise that we are living in a new era where the combination of good coding practices and network security is no longer good enough," said Shulman.
Automatic exploit kits have been a growing problem within the security industry. Earlier in the year both Microsoft and F-Secure have listed exploit kits like Blackhole as one of the biggest threats facing the globe.