Yahoo Mail users hit by widespread XSS exploit (opens in new tab)

(thenextweb.com)

70 pointsmacleanjr13y ago38 comments

38 comments

30 comments · 10 top-level

neya13y ago· 4 in thread

Whenever I hear something negative about Yahoo, I feel really sorry for them. Yahoo used to be a great company a few years back. Their messenger was one of the best products they ever had, their mail used to be REALLY good (in the early days). But soon, they failed to adapt with the market's needs and they are now here where they are. They COULD have been a great company if they had put in as much effort as their competitors had put in, in understanding their market.

The best example was about how they failed to respond to Gmail's popularity. Gmail gave almost every single feature away for free, that Yahoo charged (and still charges?) a premium for. For example - Mail forwarding, (POP, IMAP too?) and so on. I personally used to have a .co.uk address with them and eventually moved to Gmail because their ads were into my face, unlike Gmail's, where they are very subtle.

Also the UX on most Yahoo's sites are terribly poor. Ever visited their homepage? Looks like a cluttered fish market.

csmatt13y ago

Bad UX killed Yahoo. Intrusive, animated advertisements and a cluttered home page are how I will always remember them. I often joke about how I test Internet connections by going to yahoo.com in the browser since no one goes there anymore and I won't be deceived by cache :P

TazeTSchnitzel13y ago

In the US, perhaps. The "cluttered homepage" design is popular in Japan.

1 more reply

sp33213y ago

Yahoo isn't dead, they've been profitable. And their stock is up lately. https://www.google.com/finance?q=yahoo

1 more reply

neya13y ago

Haha! I like the 'internet-testing' part :D

gcb013y ago· 3 in thread

So, why does the browser send yahoo.com cookies to a request to abysswhatever.com when the user clicks on the link in the email?

he just created a pretty valid link with no shenanigans... last i checked, a XSS attack was about making a site churn out javascript code when it was not intended to and then you could make a request that passed that domain's cookies to you.

mrb13y ago

The browser doesn't send yahoo.com cookies to abysssec.com. The way XSS's work in general is that the attacker's landing page probably has an invisible iframe that GETs or POSTs to yahoo.com, with the right parameters, to trigger an XSS with js code that sends the cookies back to abysssec.com All this is invisible in the video, as the author does not want to disclose the technical details.

bcoates13y ago

It sounds like disabling 3rd party cookies fixes this, right?

1 more reply

gcb013y ago

ah, ok. that's conveniently left out of the 'demo' ...but what was i expecting from a youtube video?

thanks!

mifrai13y ago· 3 in thread

Would following their advice of changing your password actually help in this situation? While it's a good practice in general, if I'm understanding this right, the attacker never has your password.

mullingitover13y ago

It's an xss attack that takes advantage of the fact that you're logged in, they don't need your password. The best way to avoid it is to only log into your account in a separate browser that's in incognito mode. That, or log out of your Yahoo account immediately after you've done your business with them and don't hit any other web sites while you're logged in.

gs713y ago

This is what I'm wondering as well. My wife's account was a part of this hack yesterday, though oddly she never uses the web interface. Maybe she was logged in regardless. She changed her password afterwards, but maybe the solution is to just log out of your account to kill that auth session cookie?

toast013y ago

Changing your password is the best way to invalidate your Yahoo! login cookies (which is what's apparently been stolen based on comments). To verify with Yahoo! mail, log in with two browsers, change password on one and you'll be forced to reverify with the other.

Simucal13y ago· 3 in thread

Already, two of my Facebook friends have reported they have been hit with this vulnerability.

mrb13y ago

How technical are your friends? Sometimes people think they have been "hacked" when their contacts receive spam with their name in the From: header. That is not the case at all. Spammers simply spoof the From:. No hack required.

Beside, this XSS vulnerability is silent by nature. The victim has no idea and no visual indication that clicking a link ends up stealing his/her Yahoo auth cookies.

Simucal13y ago

The two friends in question aren't very technical at all. They had reported, after being alerted by a friend, that their account had sent out emails posing as them and contained a malicious link. They confirmed this by checking their sent mail.

So I think this is more than spoofed email. Plus, having both of these friends, with Yahoo accounts, report this on the same day of this vulnerability going public is a pretty big coincidence.

Pr013y ago

Sure, but if the victim sends the same email to all of their friends, he or she will surely end up finding out.

1 more reply

mikekij13y ago· 3 in thread

People still use Yahoo mail?

waitwhat13y ago

More than use Gmail -- http://www.campaignmonitor.com/resources/will-it-work/email-...

dvhh13y ago

read the fine print, it could mean that iOS mail client don't care that much about privacy. Almost all mail client hide external image by default (and a whitelist mechanism).

JoshuaRedmond13y ago

I believe several ISPs have deals with Yahoo to offer an email address to their customers. BT (British Telecoms) in the UK use them, as do AT&T in the USA. A huge number of people never change from their supplied addresses, and seeing as they tend to be more likely to click on a link in an unsolicited email, this has the potential to cause quite a few issues.

ppierald13y ago· 2 in thread

A little heads up to the Yahoo Security team probably would have been appreciated!

daeken13y ago

It's not like this was someone revealing the vulnerability, though. The first knowledge of it was an in-the-wild attack; not much you can do about it at that point.

rdl13y ago

This has been going on for days (months, if it is the same thing as the November/December problems), so I assumed Yahoo knew about it.

I only care because my dentist's receptionist uses Yahoo.

eric-hu13y ago· 1 in thread

I believe my Yahoo account was hit by this, since my sent mailbox showed messages with links similar to one I accidentally clicked (from a Gmail account!).

The comments in this thread suggest that the attackers now have my cookies. What can I do to invalidate old cookies for Yahoo mail?

Timothee13y ago

The least you can do is change your password. I don't know if Yahoo! can log you out of your account in other locations, the way Gmail does.

kbanman13y ago· 1 in thread

I personally witnessed two instances of this attack as early as December 8. I couldn't figure out until now how it was done.

mrb13y ago

How did you "witness" them? Were they doing js popups from yahoo.com?

xSwag13y ago

Exploit in action: http://www.youtube.com/watch?v=iBXvebXo-F4

It is currently being sold for $700 in various semi-public blackhat forums (hence widespread usage).

randallu13y ago

So does YMail have anything to do with this -- if you were logged into Yahoo and visited the bad page then Evil, Inc would still get your Y and T cookies, right?

I have received "Check out this cool link" emails from friends who use Yahoo mail, but I assumed that it was just scraping their Yahoo address book...

j / k navigate · click thread line to collapse

38 comments

30 comments · 10 top-level

neya13y ago· 4 in thread

Also the UX on most Yahoo's sites are terribly poor. Ever visited their homepage? Looks like a cluttered fish market.

csmatt13y ago

TazeTSchnitzel13y ago

In the US, perhaps. The "cluttered homepage" design is popular in Japan.

1 more reply

sp33213y ago

Yahoo isn't dead, they've been profitable. And their stock is up lately. https://www.google.com/finance?q=yahoo

1 more reply

neya13y ago

Haha! I like the 'internet-testing' part :D

gcb013y ago· 3 in thread

So, why does the browser send yahoo.com cookies to a request to abysswhatever.com when the user clicks on the link in the email?

mrb13y ago

bcoates13y ago

It sounds like disabling 3rd party cookies fixes this, right?

1 more reply

gcb013y ago

ah, ok. that's conveniently left out of the 'demo' ...but what was i expecting from a youtube video?

thanks!

mifrai13y ago· 3 in thread

Would following their advice of changing your password actually help in this situation? While it's a good practice in general, if I'm understanding this right, the attacker never has your password.

mullingitover13y ago

gs713y ago

toast013y ago

Simucal13y ago· 3 in thread

Already, two of my Facebook friends have reported they have been hit with this vulnerability.

mrb13y ago

Beside, this XSS vulnerability is silent by nature. The victim has no idea and no visual indication that clicking a link ends up stealing his/her Yahoo auth cookies.

Simucal13y ago

So I think this is more than spoofed email. Plus, having both of these friends, with Yahoo accounts, report this on the same day of this vulnerability going public is a pretty big coincidence.

Pr013y ago

Sure, but if the victim sends the same email to all of their friends, he or she will surely end up finding out.

1 more reply

mikekij13y ago· 3 in thread

People still use Yahoo mail?

waitwhat13y ago

More than use Gmail -- http://www.campaignmonitor.com/resources/will-it-work/email-...

dvhh13y ago

read the fine print, it could mean that iOS mail client don't care that much about privacy. Almost all mail client hide external image by default (and a whitelist mechanism).

JoshuaRedmond13y ago

ppierald13y ago· 2 in thread

A little heads up to the Yahoo Security team probably would have been appreciated!

daeken13y ago

It's not like this was someone revealing the vulnerability, though. The first knowledge of it was an in-the-wild attack; not much you can do about it at that point.

rdl13y ago

This has been going on for days (months, if it is the same thing as the November/December problems), so I assumed Yahoo knew about it.

I only care because my dentist's receptionist uses Yahoo.

eric-hu13y ago· 1 in thread

I believe my Yahoo account was hit by this, since my sent mailbox showed messages with links similar to one I accidentally clicked (from a Gmail account!).

The comments in this thread suggest that the attackers now have my cookies. What can I do to invalidate old cookies for Yahoo mail?

Timothee13y ago

The least you can do is change your password. I don't know if Yahoo! can log you out of your account in other locations, the way Gmail does.

kbanman13y ago· 1 in thread

I personally witnessed two instances of this attack as early as December 8. I couldn't figure out until now how it was done.

mrb13y ago

How did you "witness" them? Were they doing js popups from yahoo.com?

xSwag13y ago

Exploit in action: http://www.youtube.com/watch?v=iBXvebXo-F4

It is currently being sold for $700 in various semi-public blackhat forums (hence widespread usage).

randallu13y ago

So does YMail have anything to do with this -- if you were logged into Yahoo and visited the bad page then Evil, Inc would still get your Y and T cookies, right?

I have received "Check out this cool link" emails from friends who use Yahoo mail, but I assumed that it was just scraping their Yahoo address book...

j / k navigate · click thread line to collapse