38 comments

[ 3.5 ms ] story [ 68.3 ms ] thread
A little heads up to the Yahoo Security team probably would have been appreciated!
It's not like this was someone revealing the vulnerability, though. The first knowledge of it was an in-the-wild attack; not much you can do about it at that point.
This has been going on for days (months, if it is the same thing as the November/December problems), so I assumed Yahoo knew about it.

I only care because my dentist's receptionist uses Yahoo.

Whenever I hear something negative about Yahoo, I feel really sorry for them. Yahoo used to be a great company a few years back. Their messenger was one of the best products they ever had, their mail used to be REALLY good (in the early days). But soon, they failed to adapt with the market's needs and they are now here where they are. They COULD have been a great company if they had put in as much effort as their competitors had put in, in understanding their market.

The best example was about how they failed to respond to Gmail's popularity. Gmail gave almost every single feature away for free, that Yahoo charged (and still charges?) a premium for. For example - Mail forwarding, (POP, IMAP too?) and so on. I personally used to have a .co.uk address with them and eventually moved to Gmail because their ads were into my face, unlike Gmail's, where they are very subtle.

Also the UX on most Yahoo's sites are terribly poor. Ever visited their homepage? Looks like a cluttered fish market.

Bad UX killed Yahoo. Intrusive, animated advertisements and a cluttered home page are how I will always remember them. I often joke about how I test Internet connections by going to yahoo.com in the browser since no one goes there anymore and I won't be deceived by cache :P
Haha! I like the 'internet-testing' part :D
Already, two of my Facebook friends have reported they have been hit with this vulnerability.
How technical are your friends? Sometimes people think they have been "hacked" when their contacts receive spam with their name in the From: header. That is not the case at all. Spammers simply spoof the From:. No hack required.

Beside, this XSS vulnerability is silent by nature. The victim has no idea and no visual indication that clicking a link ends up stealing his/her Yahoo auth cookies.

Sure, but if the victim sends the same email to all of their friends, he or she will surely end up finding out.
Spammers also have ways to determine your social circle (eg. scraping Facebook), so they can send mail to all your friends.
Depends on how visible your name->email is. I got one yesterday to my current non-public email address (never used for anything except person to person email, and usually not even that), from the one guy I know who uses yahoo email. Told him he might want to make sure his AV is in shape and change his password. Still no idea if it's from this or something else, he discovered that he had a bit of malware (nothing extreme, your average user level) so it could have been anything, but the timing is pretty suspicious considering his setup has gotten infected exactly once over about the four years I've known him (that I know of, but I have no doubt I'd be the first to know).
The two friends in question aren't very technical at all. They had reported, after being alerted by a friend, that their account had sent out emails posing as them and contained a malicious link. They confirmed this by checking their sent mail.

So I think this is more than spoofed email. Plus, having both of these friends, with Yahoo accounts, report this on the same day of this vulnerability going public is a pretty big coincidence.

Would following their advice of changing your password actually help in this situation? While it's a good practice in general, if I'm understanding this right, the attacker never has your password.
This is what I'm wondering as well. My wife's account was a part of this hack yesterday, though oddly she never uses the web interface. Maybe she was logged in regardless. She changed her password afterwards, but maybe the solution is to just log out of your account to kill that auth session cookie?
It's an xss attack that takes advantage of the fact that you're logged in, they don't need your password. The best way to avoid it is to only log into your account in a separate browser that's in incognito mode. That, or log out of your Yahoo account immediately after you've done your business with them and don't hit any other web sites while you're logged in.
Changing your password is the best way to invalidate your Yahoo! login cookies (which is what's apparently been stolen based on comments). To verify with Yahoo! mail, log in with two browsers, change password on one and you'll be forced to reverify with the other.
I personally witnessed two instances of this attack as early as December 8. I couldn't figure out until now how it was done.
How did you "witness" them? Were they doing js popups from yahoo.com?
People still use Yahoo mail?
I believe several ISPs have deals with Yahoo to offer an email address to their customers. BT (British Telecoms) in the UK use them, as do AT&T in the USA. A huge number of people never change from their supplied addresses, and seeing as they tend to be more likely to click on a link in an unsolicited email, this has the potential to cause quite a few issues.
So, why does the browser send yahoo.com cookies to a request to abysswhatever.com when the user clicks on the link in the email?

he just created a pretty valid link with no shenanigans... last i checked, a XSS attack was about making a site churn out javascript code when it was not intended to and then you could make a request that passed that domain's cookies to you.

The browser doesn't send yahoo.com cookies to abysssec.com. The way XSS's work in general is that the attacker's landing page probably has an invisible iframe that GETs or POSTs to yahoo.com, with the right parameters, to trigger an XSS with js code that sends the cookies back to abysssec.com All this is invisible in the video, as the author does not want to disclose the technical details.
ah, ok. that's conveniently left out of the 'demo' ...but what was i expecting from a youtube video?

thanks!

It sounds like disabling 3rd party cookies fixes this, right?
The cookie is a first-party yahoo cookie that is sent via a GET parameter to a remote server in plain-text.

So nope that won't help.

I believe my Yahoo account was hit by this, since my sent mailbox showed messages with links similar to one I accidentally clicked (from a Gmail account!).

The comments in this thread suggest that the attackers now have my cookies. What can I do to invalidate old cookies for Yahoo mail?

The least you can do is change your password. I don't know if Yahoo! can log you out of your account in other locations, the way Gmail does.
So does YMail have anything to do with this -- if you were logged into Yahoo and visited the bad page then Evil, Inc would still get your Y and T cookies, right?

I have received "Check out this cool link" emails from friends who use Yahoo mail, but I assumed that it was just scraping their Yahoo address book...