[kwlug-disc] OT: Hotmail/Yahoo account breakins

Paul Nijjar paul_nijjar at yahoo.ca
Wed Feb 13 22:37:54 EST 2013

That link paints a coherent story (the first I have understood). Even
without a zero-day vulnerability: cross-site scripting.

Does this make sense?

0. Amelia's hotmail account gets hacked. 
1. Burinder is a contact in Amelia's address book, and Burinder gets
mailed a mysterious link. 
2. Burinder clicks the link, which launches the XSS attack. Now the
attacker (or worm) can spam all of Burinder's contacts. 

I guess that works, but it does not feel like the whole story. 

- Does Burinder need to be using Hotmail if Amelia was? (My guess is
  no -- the XSS page might have exploits for a wide variety of webmail

- Does Burinder need to use webmail for this to work? (My guess is
  yes, since the attack depends on XSS. If Burinder is not logged into
  his webmail, then the XSS can't execute? Maybe that is wishful

- Can the attacker log into Burinder's account several days after the
  exploit has been executed? (My guess is that this should not be
  possible. Maybe long-lived cookies would allow this? This is why I
  feel the story is incomplete -- I think certain accounts send bad 
  messages for many many days.) 

- Can web-browsers protect against XSS attacks of this nature? (My
  guess is that NoScript can, and it looks like IE and Chrome have 
  some XSS protection, but I do not know anything beyond that. Is
  there any protection for Firefox?)

- Does Burinder changing his password help? (I don't know at all.) 

Is this story even plausible?

If anybody has other stories (or better yet information that goes
beyond speculation) then I am very interested. 

- Paul

On Wed, Feb 13, 2013 at 09:13:02PM -0500, Bob Jonkman wrote:
> There are also known Cross-Site Scripting attacks that can steal session
> cookies and IDs if the browser is already logged into Yahoo:
> https://krebsonsecurity.com/2012/11/yahoo-email-stealing-exploit-fetches-700/

More information about the kwlug-disc mailing list