Attackers can read emails, contacts and other private data from Yahoo accounts of Yahoo users who visit malicious websites. A limited version of the attack was presented on Sunday at the DefCamp security conference in Bucharest, Romania, by a Romanian Web application bug hunter named Sergiu Dragos Bogdan. Bogdan presented a proof-of-concept (PoC) attack page that loaded a specific developer.yahoo.com URL inside an iframe. When the attack page was visited by an authenticated Yahoo user — a test account — the iframe returned the visitor’s crumb code.”]