Yahoo! has fixed the problem.
This page hosted a demonstration script which accessed a *publicly available* link on Yahoo's domain which displayed your YahooID.
Big deal you say? Any website, such as this one, would be capable of embedding that link within the code in order to reap the contents - and discover your identity from the information obtained.
If you'd like to test it yourself you can download the file linked below. If it has your YahooID within it then - obviously - it's not fixed.
This information was obtained by reading the contents of a URL used in a large number of YahooGroups message advertisements. Here's the URL: http://smartbanner.san.yahoo.com/cgi-bin/sbanner.js
About 36 hours after receiving the response from TRUSTe, each time I visited this page the script has failed. This is not a problem with my code, but it might have been fixed on Yahoo!'s end. If so, they have not had the consideration of contacting me to let me know it has been resolved (In all my correspondence on this subject so far I have asked to be notified if it this threat to privacy had been resolved). On the other hand, they may have just filtered this domain and IP from the acceptable referrer list - which means that though I cannot exploit your YahooID on *this* site, it may be possible on other sites. If they ever tell me, I'll post it here. And, of course, I'll continue to update this site as information is made available.
I've contacted Yahoo! about this situation twice (2001/03/06 and 2001/03/10). The second time, because Yahoo! had not responded to either notice, I also contacted TRUSTe. 2001/03/12 I received a response from a representative at TRUSTe that is looking into the issue. So much for Yahoo! being capable of policing itself. I'll update this site as information is made available.
A special thanks to my lovely wife Annette for discovering this issue.