X
Tech
Home Tech Security

Yahoo Webmail accounts exposed

Yahoo has fixed a bug in its Web based e-mail system that would have allowed attackers to seize control of users' e-mail accounts. The security flaw, discovered by eEye Digital Security's Drew Copley, allowed attackers to by-pass the Web-mail system's Javascript filters.
Written by Patrick Gray, Contributor
Yahoo has fixed a bug in its Web based e-mail system that would have allowed attackers to seize control of users' e-mail accounts.

The security flaw, discovered by eEye Digital Security's Drew Copley, allowed attackers to by-pass the Web-mail system's Javascript filters. Any message exceeding approximately 100kb in length would not be analysed by the filter, which is meant to strip messages of any potentially malicious Javascript.

In effect, this enabled attackers to take control of a user's account by sending them a specially crafted e-mail.

"A remarkable note about this bug is that no one seems to have found it before," Copley's advisory reads. "As far as anyone knows."

Speaking to ZDNet Australia  by phone from the U.S, Copley said it would be possible to use the flaw to capture the username and password of a Yahoo account holder.

"You can change the page that they're looking at. You can get all their contact information. You can do anything that a user would do on the page," he said. "The main thing people would do with this is to grab usernames and passwords through a re-login page."

This works by using Javascript to load a window that prompts the user to log in to the service again. However, when the user-name and password is entered, it is sent to the attacker, not to Yahoo. It works somewhat like a phishing scam, Copley said. The usual alarm bells would not ring for the average user, Copley added; Yahoo routinely prompts users with a window asking them to log in again following session time-outs.

The bug would also allow an attacker to seize the user's session cookie, which contains personal user details submitted to Yahoo. Copley has praised Yahoo's response to the issue.

"They were very professional and fixed it very quickly. I was impressed," he said.

The discovery of the bug did not come from hours of pain-staking research, Copley admits. He found it when another researcher, known as "http-equiv", sent him a virus, for research purposes, by e-mail that was over 100kb in size.

"He was showing me a virus that was using one of my bugs in the wild. It had all this code, and one of the parts just started running," he explained. "We found it by accident."

Editorial standards
Show Comments

Related

Placeholder product image alt text

The best AI image generators to try right now

Zoom Workplace

Zoom gets its first major overhaul in 10 years, powered by generative AI

Adobe logo at Adobe Summit

Adobe Premiere Pro's new AI tools blew my mind. Watch them in action for yourself