Sigh
These, and many, MANY more vulnerabilities very similar to it have always existed on Yahoo!
When I started programming 12 years ago it was simply as a means to utilise these ‘backdoors’. Yahoo have hundreds, even thousands of alternative login methods and front-ends that all a guy has to do to attempt a brute force attack is play around with their sub domains until you find one that doesn’t either a) produce a captcha after one wrong attempt, b) doesn’t lock the account for an hour after 5 attempts and also, and almost more importantly c) doesn’t ban your IP for an hour after 10 attempts (which the regular login page does).
Their Messenger program also has many different servers with which you can login, and finding one of those that doesn’t stop working after 5 attempts is as trivial as finding a whore in a whorehouse.
12 years and they still haven’t changed the basic foundation of their credential access and still leave it up to each front end developer to add their own security measures.