Yahoo Email Attack

Monday, February 4, 2013 @ 07:02 PM gHale

Hackers behind an email attack are exploiting a vulnerability in a Yahoo website to hijack the email accounts of Yahoo users and use them for spam, security researchers said.

The attack begins with users receiving a spam email with their name in the subject line and a short “check out this page” message followed by a shortened link, said researchers at antivirus provider Bitdefender.

Amazon Fixes Security Hole
Security Release for Drupal
Web Site Security Holes
Potential Yahoo Mail XSS Bug

Clicking on the link takes users to a website masquerading as the MSNBC news site that contains an article about how to make money while working from home, the Bitdefender researchers said in a blog post.

At first glance, this seems no different from other work-from-home scam sites. However, in the background, a piece of JavaScript code exploits a cross-site scripting (XSS) vulnerability in the Yahoo Developer Network (YDN) Blog site in order to steal the visitor’s Yahoo session cookie.

Session cookies are strings of text stored by websites inside browsers in order to remember logged-in users until they sign out. Web browsers use a security mechanism to prevent websites opened in different tabs from accessing each other’s resources, like session cookies.

The same-origin policy usually ends up enforced per domain. For example, cannot access the session cookies for even though the user might be in both websites at the same time in the same browser. However, depending on the cookie settings, subdomains can access session cookies set by their parent domains.

This appears to be the case with Yahoo, where the user remains logged in regardless of what Yahoo subdomain they visit, including

The rogue JavaScript code loaded from the fake MSNBC website forces the visitor’s browser to call with a specifically crafted URL that exploits the XSS vulnerability and executes additional JavaScript code in the context of the subdomain.

This additional JavaScript code reads the Yahoo user’s session cookie and uploads it to a website controlled by the attackers. The cookie can then access the user’s email account and send the spam email to all of their contacts. In a sense, this is a XSS-powered, self-propagating email worm.

The exploited XSS vulnerability is actually in a WordPress component called SWFUpload and patched in WordPress version 3.3.2 released in April 2012, Bitdefender researchers said. However, the YDN Blog site appears to be using an outdated version of WordPress.

After discovering the attack, the Bitdefender researchers searched the company’s spam database and found very similar messages dating back almost a month, said Bogdan Botezatu, a senior e-threat analyst at Bitdefender.

Bitdefender reported the vulnerability to Yahoo on Wednesday, but it still appeared to be exploitable the following day, Botezatu said.

In a statement sent on Thursday, Yahoo said it had patched the vulnerability.

“Yahoo takes security and our users’ data seriously,” a Yahoo official said. “We recently learned of a vulnerability from an external security firm and confirm that we have fixed the vulnerability. We encourage concerned users to change their passwords to a strong password that combines letters, numbers, and symbols; and to enable the second login challenge in their account settings.”

Botezatu advised users to avoid clicking on links received via email, especially if they end up shortened with Determining whether a link is malicious before opening it can be hard with attacks like these, he said.

Leave a Reply

You must be logged in to post a comment.