It's not like this was someone revealing the vulnerability, though. The first knowledge of it was an in-the-wild attack; not much you can do about it at that point.
Whenever I hear something negative about Yahoo, I feel really sorry for them. Yahoo used to be a great company a few years back. Their messenger was one of the best products they ever had, their mail used to be REALLY good (in the early days). But soon, they failed to adapt with the market's needs and they are now here where they are. They COULD have been a great company if they had put in as much effort as their competitors had put in, in understanding their market.
The best example was about how they failed to respond to Gmail's popularity. Gmail gave almost every single feature away for free, that Yahoo charged (and still charges?) a premium for. For example - Mail forwarding, (POP, IMAP too?) and so on. I personally used to have a .co.uk address with them and eventually moved to Gmail because their ads were into my face, unlike Gmail's, where they are very subtle.
Also the UX on most Yahoo's sites are terribly poor. Ever visited their homepage? Looks like a cluttered fish market.
Bad UX killed Yahoo. Intrusive, animated advertisements and a cluttered home page are how I will always remember them. I often joke about how I test Internet connections by going to yahoo.com in the browser since no one goes there anymore and I won't be deceived by cache :P
How technical are your friends? Sometimes people think they have been "hacked" when their contacts receive spam with their name in the From: header. That is not the case at all. Spammers simply spoof the From:. No hack required.
Beside, this XSS vulnerability is silent by nature. The victim has no idea and no visual indication that clicking a link ends up stealing his/her Yahoo auth cookies.
Depends on how visible your name->email is. I got one yesterday to my current non-public email address (never used for anything except person to person email, and usually not even that), from the one guy I know who uses yahoo email. Told him he might want to make sure his AV is in shape and change his password. Still no idea if it's from this or something else, he discovered that he had a bit of malware (nothing extreme, your average user level) so it could have been anything, but the timing is pretty suspicious considering his setup has gotten infected exactly once over about the four years I've known him (that I know of, but I have no doubt I'd be the first to know).
The two friends in question aren't very technical at all. They had reported, after being alerted by a friend, that their account had sent out emails posing as them and contained a malicious link. They confirmed this by checking their sent mail.
So I think this is more than spoofed email. Plus, having both of these friends, with Yahoo accounts, report this on the same day of this vulnerability going public is a pretty big coincidence.
Would following their advice of changing your password actually help in this situation? While it's a good practice in general, if I'm understanding this right, the attacker never has your password.
This is what I'm wondering as well. My wife's account was a part of this hack yesterday, though oddly she never uses the web interface. Maybe she was logged in regardless. She changed her password afterwards, but maybe the solution is to just log out of your account to kill that auth session cookie?
It's an xss attack that takes advantage of the fact that you're logged in, they don't need your password. The best way to avoid it is to only log into your account in a separate browser that's in incognito mode. That, or log out of your Yahoo account immediately after you've done your business with them and don't hit any other web sites while you're logged in.
Changing your password is the best way to invalidate your Yahoo! login cookies (which is what's apparently been stolen based on comments). To verify with Yahoo! mail, log in with two browsers, change password on one and you'll be forced to reverify with the other.
read the fine print, it could mean that iOS mail client don't care that much about privacy.
Almost all mail client hide external image by default (and a whitelist mechanism).
I believe several ISPs have deals with Yahoo to offer an email address to their customers. BT (British Telecoms) in the UK use them, as do AT&T in the USA. A huge number of people never change from their supplied addresses, and seeing as they tend to be more likely to click on a link in an unsolicited email, this has the potential to cause quite a few issues.
So, why does the browser send yahoo.com cookies to a request to abysswhatever.com when the user clicks on the link in the email?
he just created a pretty valid link with no shenanigans... last i checked, a XSS attack was about making a site churn out javascript code when it was not intended to and then you could make a request that passed that domain's cookies to you.
The browser doesn't send yahoo.com cookies to abysssec.com. The way XSS's work in general is that the attacker's landing page probably has an invisible iframe that GETs or POSTs to yahoo.com, with the right parameters, to trigger an XSS with js code that sends the cookies back to abysssec.com All this is invisible in the video, as the author does not want to disclose the technical details.
I believe my Yahoo account was hit by this, since my sent mailbox showed messages with links similar to one I accidentally clicked (from a Gmail account!).
The comments in this thread suggest that the attackers now have my cookies. What can I do to invalidate old cookies for Yahoo mail?
So does YMail have anything to do with this -- if you were logged into Yahoo and visited the bad page then Evil, Inc would still get your Y and T cookies, right?
I have received "Check out this cool link" emails from friends who use Yahoo mail, but I assumed that it was just scraping their Yahoo address book...
38 comments
[ 3.5 ms ] story [ 68.3 ms ] threadI only care because my dentist's receptionist uses Yahoo.
The best example was about how they failed to respond to Gmail's popularity. Gmail gave almost every single feature away for free, that Yahoo charged (and still charges?) a premium for. For example - Mail forwarding, (POP, IMAP too?) and so on. I personally used to have a .co.uk address with them and eventually moved to Gmail because their ads were into my face, unlike Gmail's, where they are very subtle.
Also the UX on most Yahoo's sites are terribly poor. Ever visited their homepage? Looks like a cluttered fish market.
Beside, this XSS vulnerability is silent by nature. The victim has no idea and no visual indication that clicking a link ends up stealing his/her Yahoo auth cookies.
So I think this is more than spoofed email. Plus, having both of these friends, with Yahoo accounts, report this on the same day of this vulnerability going public is a pretty big coincidence.
he just created a pretty valid link with no shenanigans... last i checked, a XSS attack was about making a site churn out javascript code when it was not intended to and then you could make a request that passed that domain's cookies to you.
thanks!
So nope that won't help.
It is currently being sold for $700 in various semi-public blackhat forums (hence widespread usage).
The comments in this thread suggest that the attackers now have my cookies. What can I do to invalidate old cookies for Yahoo mail?
I have received "Check out this cool link" emails from friends who use Yahoo mail, but I assumed that it was just scraping their Yahoo address book...