Feeds

Hole in Yahoo! surrenders keys to the kingdom

Attack of the killer XSS

The essential guide to IT transformation

Yahoo has closed a gaping hole that attackers were exploiting to gain access to victims' Yahoo Mail accounts and other restricted areas of site.

The cross site scripting error in the hotjobs.yahoo.com domain allowed the attackers to inject cleverly obfuscated javascript into the page that silently siphoned the cookies used to authenticate Yahoo users when they log in to sections of the portal that require a password. Armed with the cookies, attackers were then given broad control over the victim's Yahoo account, including Yahoo Email and any other service that uses authentication cookies belonging to the yahoo.com domain.

"I guess the beautiful bit about it from an attacker's viewpoint is quite a lot of people would be unaware of what's happened" after accessing a booby-trapped hotjobs URL, said Paul Mutton, an internet services developer for Netcraft who helped discover the exploit. "Not many people will think of changing their password after that happens."

To Yahoo's credit, Mutton said the XSS error was closed within hours of him reporting it to Yahoo's security team. But the episode is a reminder that even the biggest sites can be needlessly sloppy when it comes to handling authentication cookies. The attack would have been impossible to carry out had Yahoo bothered to use http-only cookies.

Yahoo is hardly alone here. Last month, bankofamerica.com, register.com, netflix.com and dozens of other big name sites were caught transmitting credentials that are vulnerable to a new tool called CookieMonster. That attack is neutered when sites use https-only cookies.

A Yahoo spokeswoman thanked Netcraft for help identifying the problem. She reminded users of the importance of resetting passwords. That's a sensible precaution, but it would have done nothing to protect users against this attack.

According to Mutton, XSS vulnerability was exploited by hotjobs.com URLs that contained a long series of digits. When transformed into javascript it redirected users to a blank webpage on a different domain. A victim need not enter a user name or password. Visiting the blank page was all that was required to steal an authentication cookie that acts as a universal key across the the entire yahoo.com domain.

At time of writing, the blank page remained up and running. It's unknown if it's being used to attack other websites. Netcraft's report is here. ®

5 things you didn’t know about cloud backup

More from The Register

next story
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
KER-CHING! CryptoWall ransomware scam rakes in $1 MEEELLION
Anatomy of the net's most destructive ransomware threat
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
prev story

Whitepapers

Gartner critical capabilities for enterprise endpoint backup
Learn why inSync received the highest overall rating from Druva and is the top choice for the mobile workforce.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.