Yahoo plugs hole that allowed hijacking of email accounts
By Lucian Constantin
Hackers behind a recently detected email attack campaign are exploiting a vulnerability in a Yahoo website to hijack the email accounts of Yahoo users and use them for spam, according to security researchers from antivirus vendor Bitdefender.
The attack begins with users receiving a spam email with their name in the subject line and a short “check out this page” message followed by a bit.ly shortened link. Clicking on the link takes users to a website masquerading as the MSNBC news site that contains an article about how to make money while working from home, the Bitdefender researchers said Wednesday in a blog post.
Session cookies open door
Session cookies are unique strings of text stored by websites inside browsers in order to remember logged-in users until they sign out. Web browsers use a security mechanism called the same-origin policy to prevent websites opened in different tabs from accessing each other’s resources, like session cookies. (See also How To Protect Yourself From Supercookies.”)
The same-origin policy is usually enforced per domain. For example, google.com cannot access the session cookies for yahoo.com even though the user might be logged into both websites at the same time in the same browser. However, depending on the cookie settings, subdomains can access session cookies set by their parent domains.
This appears to be the case with Yahoo, where the user remains logged in regardless of what Yahoo subdomain they visit, including developer.yahoo.com.
The exploited XSS vulnerability is actually located in a WordPress component called SWFUpload and was patched in WordPress version 3.3.2 that was released in April 2012, the Bitdefender researchers said. However, the YDN Blog site appears to be using an outdated version of WordPress.
Exploit reported, squashed
After discovering the attack on Wednesday, the Bitdefender researchers searched the company’s spam database and found very similar messages dating back almost a month, said Bogdan Botezatu, a senior e-threat analyst at Bitdefender, Thursday via email.
“It is extremely difficult to estimate the success rate of such an attack because it can’t be seen in the sensor network,” he said. “However, we estimate that roughly one percent of the spam we have processed in the past month is caused by this incident.”
Bitdefender reported the vulnerability to Yahoo on Wednesday, but it still appeared to be exploitable on Thursday, Botezatu said. “Some of our test accounts are still sending this specific type of spam,” he said.
In a statement sent later on Thursday, Yahoo said it had patched the vulnerability.
“Yahoo takes security and our users’ data seriously,” a Yahoo representative said via email. “We recently learned of a vulnerability from an external security firm and confirm that we have fixed the vulnerability. We encourage concerned users to change their passwords to a strong password that combines letters, numbers, and symbols; and to enable the second login challenge in their account settings.”
Botezatu advised users to avoid clicking on links received via email, especially if they are shortened with bit.ly. Determining whether a link is malicious before opening it can be hard with attacks like these, he said.
In this case, the messages came from people the users knew—the senders were in their contact lists—and the malicious site was well-crafted to look like the respectable MSNBC portal, he said. “It is a type of attack that we expect to be highly successful.”