Yahoo’s ad network sent malware to the computers of people who visited the company’s popular family of sites for a week, the New York Times reported.
The issue, uncovered by researchers at Malwarebytes, is a warning that even the most trusted sites can sometimes contain hidden threats. The attack started on July 28 and has now been resolved, according to the Times. A Yahoo spokesperson declined to comment to The Washington Post on how long the issue persisted, saying that the company’s investigation is ongoing.
The attack leveraged a bug in Adobe Flash — a graphics program with a history of security problems that many developers have urged users to dump.
The type of scheme used, known as “malvertising,” takes advantage of the online advertising system that supports much of the Web: The bad guys buy up digital ad space, then use it to serve up malicious software to visitors of legitimate sites. In this case, those sites included Yahoo’s sports, news and finance sites, according to the Times.
When people using Windows computers visited the site, the infected ads sent them malicious code that checked to see if their computer had an out of date version of Flash — which it could them potentially use to hijack the computer.
“As soon as we learned of this issue, our team took action to block this advertiser from our network,” a Yahoo spokesperson said in a statement. “Unfortunately, disruptive ad behavior affects the entire tech industry. Yahoo has a long history of engagement on this issue and is committed to working with our peers to create a secure advertising experience.”
It’s unclear how many people may have been hit by the attack, which did not require users to do anything other than browse to a page featuring the malicious advertisements. But MalwareBytes noted that Yahoo’s home page receives billions of visits a month, and its other news and entertainment sites receive hundreds of millions of visits.
Yahoo declined to comment on how many people were caught up in the advertising attack, but said “the scale of the attack was grossly misrepresented in initial media reports.”