1

Lately I've gotten random emails from friends with Yahoo Mail (or sbcglobal.net, which uses Yahoo Mail) without a subject and some random URL that I'm not going to click on.

At first I thought that someone had gotten ahold of their password, and I recommended that they update passwords.

I just now got an email from someone who changed their password last week.

Is this some sort of cross-site scripting vulnerability? Is there any way to find out from just being the recipient of one of the messages?

Here are a few of the headers from a recent mail:

Received: from [999.999.999.999] by web83806.mail.sp1.yahoo.com via HTTP; Wed, 27 Jun 2012 09:23:30 PDT
X-Mailer: YahooMailWebService/0.8.118.349524
Message-ID: <1340814210.6602.YahooMailNeo@web83806.mail.sp1.yahoo.com>
Date: Wed, 27 Jun 2012 09:23:30 -0700 (PDT)

The blacklisted IP in the received header was from a dynamic IP in Norway.

So I'm assuming the machine at that IP was able to get my friend's Yahoo Mail cookie and use it to send email to people in her address book. Does that sound accurate? Even if someone was using an HTTPS connection to Yahoo Mail, a specially crafted email might be able to extract the cookie and deliver it elsewhere via an RPCXML call, right?

So how do you secure a Yahoo Mail account from an attack like this?

UPDATE: I've received emails like this from four different people now. It obviously isn't an isolated incident, and there's surely something that users of Yahoo Mail can do to protect themselves.

tomlogic
  • 185

3 Answers3

1

@tomlogic: I'm wondering if this is coming from the "Always-logged-on" part of Yahoo Toolbar. It wouldn't be difficult to spoof the https connection as coming from a Yahoo server through the scripting of the page, basically requesting the user id in a secure format (although as you pointed out, it could just as easily be the session cookie, since the Yahoo sessions are practically indefinite in length now) in order for the page to know which ad to serve up based on the saved profile.

I have no knowledge that this is actually the case, but this is how I would do it- you have to uncheck a whole lotta boxes when you're setting up Yahoo mail (and several other 'free' apps) in order to keep from installing that freaking toolbar that does absolutely nothing other than provide a Yahoo search box (who uses that anymore?) and a new e-mail notification - but also stores every single website you visit and everything you type into an unencrypted web form.

I've been sending replies to the 5 different people that have sent me one of these "no subject with link to phishing site" e-mails that they should change their password from a different computer or from a smartphone, then run an antivirus as well as an anti-spyware such as MalwareBytes or SpyBot before logging back in to Yahoo on their own computer, and also remove Yahoo Toolbar and associated Yahoo apps. What added value do they provide, anyhow?

ox45tallboy
  • 11
1

Happened to my yahoo account too. The infection resulted from an email directing to a web link which I inadvertently clicked from my Blackberry. Had to change password, delete the Blackberry connection to Yahoo email and delete my Yahoo contact list just to be on the safe side. Have reported to Yahoo customer support but they only provided standard answers. I had not installed Yahoo toolbar. I strongly suspect the attacker is exploiting some weakness in the Yahoo Accounts infrastructure, possibly related to the Yahoo BIS connector for Blackberry. This does not seem a password cracking attempt, nor a session hijacking.

Rampazzo
  • 11
0

It's not Cross Site Scripting.

It could be possible that your friend is a victim of Phishing or infected by spyware on his PC. There are many type of spywares in internet SEA that steals users passwords, credit card details, cookies etc important details.

Such type of autobots installs itself in browser as addon or extension and loads from and posts or mails spams.

To be secure Update your browser frequently and use good Spyware (Spybot search and Destroy).

shyammakwana.me
  • 251