It's time this was fixed.
The cookie forgery issue goes all the way back to 2009, details of it were and still are public. The reported attack sounds very similar to what was done back then. Yahoo appear to still be using the same authentication system as they did at that time. Why they did not choose to address the wider issues that were highlighted in the time since is puzzling. I hope they realise that changing the server secret to invalidate the cookies is only a temporary solution. In order to prevent this from happening again, they must redesign their single sign on system, which allow/s/ed any production server to become a single point of failure.
Biting the hand that feeds IT
