Yahoo Webmail accounts exposed

Yahoo has fixed a bug in its Web based e-mail system that would have allowed attackers to seize control of users' e-mail accounts. The security flaw, discovered by eEye Digital Security's Drew Copley, allowed attackers to by-pass the Web-mail system's Javascript filters.

Yahoo has fixed a bug in its Web based e-mail system that would have allowed attackers to seize control of users' e-mail accounts.

The security flaw, discovered by eEye Digital Security's Drew Copley, allowed attackers to by-pass the Web-mail system's Javascript filters. Any message exceeding approximately 100kb in length would not be analysed by the filter, which is meant to strip messages of any potentially malicious Javascript.

In effect, this enabled attackers to take control of a user's account by sending them a specially crafted e-mail.

"A remarkable note about this bug is that no one seems to have found it before," Copley's advisory reads. "As far as anyone knows."

Speaking to ZDNet Australia  by phone from the U.S, Copley said it would be possible to use the flaw to capture the username and password of a Yahoo account holder.

"You can change the page that they're looking at. You can get all their contact information. You can do anything that a user would do on the page," he said. "The main thing people would do with this is to grab usernames and passwords through a re-login page."

This works by using Javascript to load a window that prompts the user to log in to the service again. However, when the user-name and password is entered, it is sent to the attacker, not to Yahoo. It works somewhat like a phishing scam, Copley said. The usual alarm bells would not ring for the average user, Copley added; Yahoo routinely prompts users with a window asking them to log in again following session time-outs.

The bug would also allow an attacker to seize the user's session cookie, which contains personal user details submitted to Yahoo. Copley has praised Yahoo's response to the issue.

"They were very professional and fixed it very quickly. I was impressed," he said.

The discovery of the bug did not come from hours of pain-staking research, Copley admits. He found it when another researcher, known as "http-equiv", sent him a virus, for research purposes, by e-mail that was over 100kb in size.

"He was showing me a virus that was using one of my bugs in the wild. It had all this code, and one of the parts just started running," he explained. "We found it by accident."

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All