Feeds

Brute-force attacks target two-year hole in Yahoo! Mail

Your password is 123456

Protecting against web application threats using SSL

Scammers are exploiting a two-year-old security hole in Yahoo's network that gives them unlimited opportunities to guess login credentials for Yahoo Mail accounts, a researcher said.

The vulnerability resides in a web application that automates the process of logging in to the widely used webmail service. Because it fails to carry out a variety of security checks followed by the login page Yahoo! Mail users typically use, it's providing criminals with a backdoor through which user accounts can be breached, said Ryan Barnett, director of application security research at Breach Security.

"If the front gate of your castle is your login page to Yahoo Mail, they've done a good job of securing it," he told The Register. The web application amounts to "some sort of water tunnel that the bad guys are walking right through."

Over the past seven weeks, a sensor deployed by WASC, or the Web Application Security Consortium, has detected "a few thousand" or more attempts to use the unprotected web application to carry out brute-force attacks on user passwords, Barnett said. Because the sensor is installed on just one of a massive number of open proxies, the honeypot is likely detecting only a small fraction of the overall activity, he added.

The data is some of the first to confirm what security professionals have suspected for almost a decade: A major contributor to the steady stream of account hijackings on a wide range of sites is overlooked backend web applications that aren't properly locked down.

"I fought these exact kinds of attack when I was at eBay," said Laura Mather, a former security employee at the online auction house who is now VP of product marketing at a company called Silver Tail Systems. "Almost every site I can think of has this problem."

Jeremiah Grossman, CTO of White Hat Security, concurred. "Every major social network and portal is seeing this brute-force attack," he said. "Now that Ryan has put this out, it's exposing what we already knew to be true."

The web application in this case appears to be a backend application programming interface that allows customers of Yahoo partners to check their Yahoo Mail without having to leave the partner website. Because it contains the text "config/isp_verify_user" in URLs, it's easy to track it using search engines. This Google search, for instance, showed hundreds of locations on Yahoo's network where it was deployed.

Among the security lapses leading to abuse of the API is its failure to implement what are known as access control lists, which restrict the computers that are allowed to use the service. While best practices dictate that only qualified partners have access to it, at time of writing, anyone could tap into it and plug in usernames and passwords to authenticate Yahoo Mail accounts.

Another failure is the wealth of information the app returns when invalid information is entered. When a user enters the wrong password for a valid username into Yahoo Mail's front end system, it returns a terse error message that says only that either one of them is incorrect.

By contrast, plugging a valid user ID and wrong password into the API returns a message that indicates the username is valid. And that gives attackers information that proves invaluable in further compromising the account. Armed with that information, criminals can run a long list of the most commonly used passwords against the user IDs. Because Yahoo has virtually no rules barring the use of weak passwords - "123456" is perfectly acceptable, for instance - a decent percentage of credentials can be deduced.

What's more, the front end presents Yahoo Mail users with a captcha if they've entered incorrect passwords an excessive number of times, a measure designed to thwart automated cracking scripts. The API, by contrast, never implements a captcha no matter how many incorrect credentials are entered.

"They're cycling through different common usernames, different common passwords," Barnett said, describing the modus operandi of many password crackers. "At least if a web application locks out an account or does something if it's under attack, that might buy you some more time. If they have unrestricted access to run these kinds of scams, then it's just a matter of time."

Once breached, the accounts prove to be a spammer goldmine, since spam filters typically give webmail services the green light. Even worse, criminals can use the accounts to break in to other, more lucrative accounts, such as those used for bank accounts and other financial services.

Barnett, who earlier this week blogged about the vulnerability here, said he's known of the flaws in the Yahoo API for years. He brought them to the attention of Yahoo officials in 2007, but as of Friday it still hadn't been fixed, he added.

"Yahoo! takes online security very seriously," a company spokesman said. "We are investigating the situation and will take appropriate action." ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.