Web bugs can have serious risks, especially when they fester for eight months.
Enlarge / Reflected XSS vulnerabilities in action
When my neighbor called early Wednesday morning, she sounded close to tears. Her Yahoo Mail account had been hijacked and used to send spam to addresses in her contact list. Restrictions had then been placed on her account that prevented her from e-mailing her friends to let them know what happened.
In a blog post published hours before my neighbor's call, researchers from security firm Bitdefender said that the hacking campaign that targeted my neighbor's account had been active for about a month. Even more remarkable, the researchers said the underlying hack worked because Yahoo's developer blog runs on a version of the WordPress content management system that contained a vulnerability developers addressed more than eight months ago. My neighbor's only mistake, it seems, was clicking on a link while logged in to her Yahoo account.
As someone who received one of the spam e-mails from her compromised account, I know how easy it is to click such links. The subject line of my neighbor's e-mail mentioned me by name, even though my name isn't in my address. Over the past few months, she and I regularly sent messages to each other that contained nothing more than a Web address, so I thought nothing of opening the link contained in Wednesday's e-mail. The page that opened looked harmless enough. It appeared to be an advertorial post on MSNBC.com about working from home, which is something I do all the time. But behind the scenes, according to Bitdefender, something much more nefarious was at work.
"It's a little bit like money laundering," Jeff Williams, a Web application security expert and CEO of Aspect Security. told Ars, referring to reflected XSS attacks. "You take your script, and you send it through developer.yahoo.com, and when it comes into your browser, now it's clean. It runs as developer.yahoo.com and it can access your cookie."
Once hackers possess a Yahoo authentication cookie, they can log in to the corresponding account and send spam, siphon the address book, and control other key functions for as long as the cookie is valid, or until the user logs off. In some cases cookie-stealing attacks work only when a victim clicks a malicious link while logged in to the targeted service.
According to the Open Web Application Security Project, XSS vulnerabilities are the number two threat faced by websites. just behind another serious vulnerability that permits so-called SQL injection attacks. XSS vulnerabilities are to websites as dandelions are
to a suburban lawn. They're almost impossible to eradicate even by a watchful groundskeeper. Left to their own devices, they soon run rampant. Most XSS bugs are inconsequential, but every now and then they make the difference between an account getting hacked or remaining secure, as my neighbor now knows.
If Bitdefender researchers are correct in saying the campaign targeting Yahoo accounts began roughly a month ago, and that the hack worked because administrators didn't apply a patch released more than eight months ago, this is a serious misstep on the part of Yahoo admins. Add to that Yahoo's failure to warn its users once the attacks became public and its PR department's failure to reply to my e-mail inquiries and it's even harder to excuse what's happened here. What's more, a report released Tuesday by security firm Imperva details a separate SQL injection attack that last month gave hackers control over Yahoo servers, suggesting that such problems are systemic.
Given the huge financial and competitive strains the company faces, an about-face doesn't look likely anytime soon. That's why I suggested my neighbor switch to Gmail. Google's service is by no means perfect, but it has been the undisputed leader in Web mail security. It was the first to offer always-on HTTPS protection that encrypts mail sessions from start to finish, and it employs world-class security experts who recognize that their users' lives may depend on the integrity of their e-mail accounts. (In the case of dissidents in China and other countries with repressive governments, this may be literally true).
Closing out an e-mail account can be a hassle, but already my neighbor is looking forward to a new beginning.
"I'm sorry to report that my e-mail was hacked this morning and many of you probably got messages from me inviting you to open a link," she wrote in a message sent from her new Gmail account. "May your day be uncluttered, no more nonsense!"
On Thursday afternoon, Yahoo officials released the following statement:
Yahoo! takes security and our users' data seriously. We recently learned of a vulnerability from an external security firm and confirm that we have fixed the vulnerability. We encourage concerned users to change their passwords to a strong password that combines letters, numbers, and symbols; and to enable the second login challenge in their account settings.
There's no evidence that weak passwords or a lack of a second login challenge played any role in the hacking campaign.
This happened to me more than 6-7 months ago. I was lucky I do not actively use the contact list but I still had to apologize to like 20 people.
I spent ridiculous amount of time trying to find out how I screwed up. Changed passwords for several services that shared the same password (I only use this password for highly trusted services like paypal), tracked logins and what not. I was so convinced it was my fault. if only you wrote this article at the time. I even wrote to customer support at yahoo and received no answer.
Last edited by Stilgar on Thu Jan 31, 2013 6:48 am
@ergomane: subdomains can access cookies from their domain root, as specified in RFC 2109 & 2965. Like most portal sites, Yahoo stores its login cookies in .yahoo.com so that users persist across all of their various properties.
Ugh, I have a legacy account (and some throwaways) on Yahoo. Looks like it's time to turn on 2-step auth there. http://www.howtogeek.com/130844/secure-. -services/
598 posts | registered Sep 18, 2003