[kwlug-disc] OT: Hotmail/Yahoo account breakins
bjonkman at sobac.com
Wed Feb 13 21:13:02 EST 2013
I have no proof (or, in fact, any evidence at all), but I suspect it has
something to do with poor implementations of OAuth or other distributed
login mechanisms. F'rinstance, those non-Facebook sites that encourage
you to log in with your Facebook ID, or in your particular example,
logging in to non-Yahoo sites with your Yahoo login ID.
There have also been examples of being able to access others' mailboxes
by URL munging sessionID parameters. There's a lovely how-to at
There are also known Cross-Site Scripting attacks that can steal session
cookies and IDs if the browser is already logged into Yahoo:
Bob Jonkman <bjonkman at sobac.com> http://sobac.com/sobac/
SOBAC Microcomputer Services Phone: +1-519-669-0388
6 James Street, Elmira ON Canada N3B 1L5 Cell: +1-519-635-9413
Software --- Office & Business Automation --- Consulting
On 13-02-13 07:47 PM, Paul Nijjar wrote:
> I think I probably asked this before, but maybe there are updates now
> that it is 2013. For a while now (at least since Sept 2010) there has
> been a spate of attacks on webmail accounts. I want to know the
> In one case I believe somebody got infected after clicking on a
> link they had received from one of their contacts (who had
> also been attacked). I do not think the victim entered password
> information into the target page; I think they may have just opened
> the page. Is this possible? What is the mechanism that allows one into
> a Hotmail or Yahoo account this way?
> It looks like clicking on bad attachments can also trigger breakins.
> In most cases it looks like the passwords of the infected accounts are
> not changed. The usual advice seems to be "change your password". Is
> this correct advice? What should people do if they have had their
> account cracked?
> Does this affect only the web interface, or can you be infected if you
> check your email via an IMAP or POP download of the mail onto a fat
> client like mutt or Thunderbird?
> I know that some of you deal with mail systems, and since you are all
> smart I thought I would ask about this here. From time to time I look
> on the internet for explanations about why this happens, but so far I
> have not found satisfying explanations. Even people who are smart
> about computers are getting their accounts cracked.
> - Paul
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 263 bytes
Desc: OpenPGP digital signature
More information about the kwlug-disc