[kwlug-disc] OT: Hotmail/Yahoo account breakins

Bob Jonkman bjonkman at sobac.com
Wed Feb 13 23:29:46 EST 2013 

For an XSS attack, Step 0. and the first half of Step 1. are not
required.  Perhaps Burinder is interested in a larger penis, and clicks
on a link promising him one.  An XSS exploit could then acquire the
sessionID credentials (maybe the cookie, maybe the URL sessionID token
in the URL, maybe some other sessionID credential). By spoofing the
sessionID the exploit code is indistinguishable from valid code
accessing the e-mail account. It can acquire addressbook information, or
send e-mail. It is unlikely that the exploit code can change the
password, since Yahoo requires the user to re-authenticate with login
credentials before changing the password.

An XSS exploit is targeted to a particular (vulnerable) website, so a
Yahoo exploit won't work on Hotmail site. But I'm sure Hotmail has
plenty of XSS exploits all to itself.

If there is a vulnerability in the website's session management then a
replay attack using the same sessionID may be possible much later. Or
the initial XSS code creates a persistent cookie for itself (how many
people check the box for "Remember me on this computer"?). Or maybe the
XSS drops additional code that runs every time the browser starts (how
many plugins and addons are *you* running?)

For this particular type of attack changing your password won't help.
The fix needs to be made in either the browser, or the website (or
both).  The rash of compromised e-mail accounts in 2010 was supposedly
fixed by changing your Yahoo or Hotmail password, so that was another
type of attack.

Yes, the NoScript extension (Firefox only) protects against XSS, CSRF,
and a bunch of other attacks. I see some similar extensions for Chrome
at
https://chrome.google.com/webstore/search-extensions/noscript%20OR%20xss%20OR%20csrf
But running your browser without Javascript makes much of the shiny
Internet go away.

A morbidly obese mail client like Thunderbird can render HTML all by
itself, so a browser isn't strictly required. You're probably safe with
Mutt, tho.

Sadly, exploits like this are remarkably common. A quick search
https://ixquick.com/do/metasearch.pl?query=yahoo+mail+session+exploit
shows this same technique going back to 2003.

--Bob.

Bob Jonkman <bjonkman at sobac.com>         http://sobac.com/sobac/
SOBAC Microcomputer Services              Phone: +1-519-669-0388
6 James Street, Elmira ON Canada  N3B 1L5  Cell: +1-519-635-9413
Software   ---   Office & Business Automation   ---   Consulting 


On 13-02-13 10:37 PM, Paul Nijjar wrote:
> That link paints a coherent story (the first I have understood). Even
> without a zero-day vulnerability: cross-site scripting.
>
> Does this make sense?
>
> 0. Amelia's hotmail account gets hacked. 
> 1. Burinder is a contact in Amelia's address book, and Burinder gets
> mailed a mysterious link. 
> 2. Burinder clicks the link, which launches the XSS attack. Now the
> attacker (or worm) can spam all of Burinder's contacts. 
>
> I guess that works, but it does not feel like the whole story. 
>
> - Does Burinder need to be using Hotmail if Amelia was? (My guess is
>   no -- the XSS page might have exploits for a wide variety of webmail
>   systems). 
>
> - Does Burinder need to use webmail for this to work? (My guess is
>   yes, since the attack depends on XSS. If Burinder is not logged into
>   his webmail, then the XSS can't execute? Maybe that is wishful
>   thinking.) 
>
> - Can the attacker log into Burinder's account several days after the
>   exploit has been executed? (My guess is that this should not be
>   possible. Maybe long-lived cookies would allow this? This is why I
>   feel the story is incomplete -- I think certain accounts send bad 
>   messages for many many days.) 
>
> - Can web-browsers protect against XSS attacks of this nature? (My
>   guess is that NoScript can, and it looks like IE and Chrome have 
>   some XSS protection, but I do not know anything beyond that. Is
>   there any protection for Firefox?)
>
> - Does Burinder changing his password help? (I don't know at all.) 
>
>
> Is this story even plausible?
>
> If anybody has other stories (or better yet information that goes
> beyond speculation) then I am very interested. 
>
> - Paul
>
> On Wed, Feb 13, 2013 at 09:13:02PM -0500, Bob Jonkman wrote:
>> There are also known Cross-Site Scripting attacks that can steal session
>> cookies and IDs if the browser is already logged into Yahoo:
>> https://krebsonsecurity.com/2012/11/yahoo-email-stealing-exploit-fetches-700/
>>
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20130213/d5fe6a6b/attachment.sig>

More information about the kwlug-disc mailing list