[kwlug-disc] OT: Hotmail/Yahoo account breakins

chaslinux at gmail.com chaslinux at gmail.com
Thu Feb 14 17:31:39 EST 2013

So I had this happen recently on my gmail account. I'm thinking that an app I installed on my phone (whatsapp - a messenger-style app) may have provided a way in for someone.

Whatsapp seems to scour your phone's contacts to search for active whatsapp users with the same address. I don't know in my case because I never got to see full headers from those who got spammed (and it may not have helped anyway). In my case I changed my password immediately and set up 2 factor authentication for gmail (message gets sent to my phone with a code that let's me activate each computer I want gmail on).

Thinking phones could be a big problem in the near future.
Blog: http://www.charlesmccolm.com/
www: http://www.rebuild-it.com/
Sent from my cell phone.

-----Original Message-----
From: Paul Nijjar <paul_nijjar at yahoo.ca>
Sender: "kwlug-disc" <kwlug-disc-bounces at kwlug.org>
Date: Wed, 13 Feb 2013 22:37:54 
To: KWLUG discussion<kwlug-disc at kwlug.org>
Reply-To: KWLUG discussion <kwlug-disc at kwlug.org>
Subject: Re: [kwlug-disc] OT: Hotmail/Yahoo account breakins

That link paints a coherent story (the first I have understood). Even
without a zero-day vulnerability: cross-site scripting.

Does this make sense?

0. Amelia's hotmail account gets hacked. 
1. Burinder is a contact in Amelia's address book, and Burinder gets
mailed a mysterious link. 
2. Burinder clicks the link, which launches the XSS attack. Now the
attacker (or worm) can spam all of Burinder's contacts. 

I guess that works, but it does not feel like the whole story. 

- Does Burinder need to be using Hotmail if Amelia was? (My guess is
  no -- the XSS page might have exploits for a wide variety of webmail

- Does Burinder need to use webmail for this to work? (My guess is
  yes, since the attack depends on XSS. If Burinder is not logged into
  his webmail, then the XSS can't execute? Maybe that is wishful

- Can the attacker log into Burinder's account several days after the
  exploit has been executed? (My guess is that this should not be
  possible. Maybe long-lived cookies would allow this? This is why I
  feel the story is incomplete -- I think certain accounts send bad 
  messages for many many days.) 

- Can web-browsers protect against XSS attacks of this nature? (My
  guess is that NoScript can, and it looks like IE and Chrome have 
  some XSS protection, but I do not know anything beyond that. Is
  there any protection for Firefox?)

- Does Burinder changing his password help? (I don't know at all.) 

Is this story even plausible?

If anybody has other stories (or better yet information that goes
beyond speculation) then I am very interested. 

- Paul

On Wed, Feb 13, 2013 at 09:13:02PM -0500, Bob Jonkman wrote:
> There are also known Cross-Site Scripting attacks that can steal session
> cookies and IDs if the browser is already logged into Yahoo:
> https://krebsonsecurity.com/2012/11/yahoo-email-stealing-exploit-fetches-700/

kwlug-disc mailing list
kwlug-disc at kwlug.org

More information about the kwlug-disc mailing list