Feeds

Hole in Yahoo! surrenders keys to the kingdom

Attack of the killer XSS

Protecting against web application threats using SSL

Yahoo has closed a gaping hole that attackers were exploiting to gain access to victims' Yahoo Mail accounts and other restricted areas of site.

The cross site scripting error in the hotjobs.yahoo.com domain allowed the attackers to inject cleverly obfuscated javascript into the page that silently siphoned the cookies used to authenticate Yahoo users when they log in to sections of the portal that require a password. Armed with the cookies, attackers were then given broad control over the victim's Yahoo account, including Yahoo Email and any other service that uses authentication cookies belonging to the yahoo.com domain.

"I guess the beautiful bit about it from an attacker's viewpoint is quite a lot of people would be unaware of what's happened" after accessing a booby-trapped hotjobs URL, said Paul Mutton, an internet services developer for Netcraft who helped discover the exploit. "Not many people will think of changing their password after that happens."

To Yahoo's credit, Mutton said the XSS error was closed within hours of him reporting it to Yahoo's security team. But the episode is a reminder that even the biggest sites can be needlessly sloppy when it comes to handling authentication cookies. The attack would have been impossible to carry out had Yahoo bothered to use http-only cookies.

Yahoo is hardly alone here. Last month, bankofamerica.com, register.com, netflix.com and dozens of other big name sites were caught transmitting credentials that are vulnerable to a new tool called CookieMonster. That attack is neutered when sites use https-only cookies.

A Yahoo spokeswoman thanked Netcraft for help identifying the problem. She reminded users of the importance of resetting passwords. That's a sensible precaution, but it would have done nothing to protect users against this attack.

According to Mutton, XSS vulnerability was exploited by hotjobs.com URLs that contained a long series of digits. When transformed into javascript it redirected users to a blank webpage on a different domain. A victim need not enter a user name or password. Visiting the blank page was all that was required to steal an authentication cookie that acts as a universal key across the the entire yahoo.com domain.

At time of writing, the blank page remained up and running. It's unknown if it's being used to attack other websites. Netcraft's report is here. ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.