[kwlug-disc] OT: Hotmail/Yahoo account breakins
chaslinux at gmail.com
chaslinux at gmail.com
Thu Feb 14 17:31:39 EST 2013
So I had this happen recently on my gmail account. I'm thinking that an app I installed on my phone (whatsapp - a messenger-style app) may have provided a way in for someone.
Whatsapp seems to scour your phone's contacts to search for active whatsapp users with the same address. I don't know in my case because I never got to see full headers from those who got spammed (and it may not have helped anyway). In my case I changed my password immediately and set up 2 factor authentication for gmail (message gets sent to my phone with a code that let's me activate each computer I want gmail on).
Thinking phones could be a big problem in the near future.
Sent from my cell phone.
From: Paul Nijjar <paul_nijjar at yahoo.ca>
Sender: "kwlug-disc" <kwlug-disc-bounces at kwlug.org>
Date: Wed, 13 Feb 2013 22:37:54
To: KWLUG discussion<kwlug-disc at kwlug.org>
Reply-To: KWLUG discussion <kwlug-disc at kwlug.org>
Subject: Re: [kwlug-disc] OT: Hotmail/Yahoo account breakins
That link paints a coherent story (the first I have understood). Even
without a zero-day vulnerability: cross-site scripting.
Does this make sense?
0. Amelia's hotmail account gets hacked.
1. Burinder is a contact in Amelia's address book, and Burinder gets
mailed a mysterious link.
2. Burinder clicks the link, which launches the XSS attack. Now the
attacker (or worm) can spam all of Burinder's contacts.
I guess that works, but it does not feel like the whole story.
- Does Burinder need to be using Hotmail if Amelia was? (My guess is
no -- the XSS page might have exploits for a wide variety of webmail
- Does Burinder need to use webmail for this to work? (My guess is
yes, since the attack depends on XSS. If Burinder is not logged into
his webmail, then the XSS can't execute? Maybe that is wishful
- Can the attacker log into Burinder's account several days after the
exploit has been executed? (My guess is that this should not be
possible. Maybe long-lived cookies would allow this? This is why I
feel the story is incomplete -- I think certain accounts send bad
messages for many many days.)
- Can web-browsers protect against XSS attacks of this nature? (My
guess is that NoScript can, and it looks like IE and Chrome have
some XSS protection, but I do not know anything beyond that. Is
there any protection for Firefox?)
- Does Burinder changing his password help? (I don't know at all.)
Is this story even plausible?
If anybody has other stories (or better yet information that goes
beyond speculation) then I am very interested.
On Wed, Feb 13, 2013 at 09:13:02PM -0500, Bob Jonkman wrote:
> There are also known Cross-Site Scripting attacks that can steal session
> cookies and IDs if the browser is already logged into Yahoo:
kwlug-disc mailing list
kwlug-disc at kwlug.org
More information about the kwlug-disc