Eight-month WordPress flaw responsible for Yahoo mail breach: Bitdefender

A cross-site scripting flaw that saw some Yahoo email users lose control of their accounts has now been traced back to a WordPress installation that was not patched for at least eight months.

Earlier in the year, a security issue saw Yahoo users lose control of their accounts. While the attack relied on customers clicking on a link to a malicious site, it was unknown how attackers were able to retrieve the session cookies required, since the site was not on a Yahoo domain.

According to Bitdefender, however, attackers used a flaw in blogging software WordPress, which was patched in April 2012, eight months prior. The WordPress blog that enabled the attack was Yahoo's own developer network site, which resides on the developer.yahoo.com domain. This meant that upon compromising it, hackers were able to access session cookies for the yahoo.com domain, and then send them back to themselves.

Attackers first created a bogus news site based off the MSN/NBC News network and hosted it on at least two domains: com-im9.net and com-io4.net. Due to the appearance of the URLs, unsuspecting users were presented with a URL in the form similar to www.msnbc.msn.com-im9.net, which at first glance may appear to be legitimate content on the msn.com domain.

Fake MSN website screenshot
A screenshot of the fake news site used to trigger the attack. (Credit: Bitdefender)

As of the time of writing, these sites were down, but a few hours ago ZDNet's own examination of them verified that they contained an inline frame element that would make a request to the upload feature built in to the WordPress installation powering the Yahoo Developer Network blog. Bitdefender's earlier examination of the sites found the attackers had been using malicious code in JavaScript libraries to make the requests to the upload feature.

This upload feature was previously identified by Neal Poole and Nathan Partlan as containing a cross-site scripting flaw. They informed WordPress, and it was subsequently patched in version 3.2.2 released in April, marked as a security update.

Despite the availability of a patch, a security researcher from Websecurity, calling themself MustLive, began to notice that the vulnerability was being exploited in the wild in November 2012.

Using the flaw, attackers were able to send, from the Yahoo.com domain, the user's session cookie to its own "beacon" site on com-io4.net and harvest details. By replacing their own cookies with the victims', the attackers were able to steal the active log-in session and take control of the account. Yahoo's WordPress installation appears to have now been patched.

Although the user's password is never obtained by the attacker, and nor can it be changed, it does open up the potential to compromise the victim's other accounts. Theoretically, by reading existing emails, an attacker could quickly determine what other accounts the email may be tied to, such as social-media sites. With this information, they could then request a password reset and take control of the account.

Yahoo did not respond to ZDNet's request to comment.