[kwlug-disc] OT: Hotmail/Yahoo account breakins

Bob Jonkman bjonkman at sobac.com
Thu Feb 14 18:04:08 EST 2013


Two-factor authentication won't help against XSS attacks.  Once you've
authenticated, a cross-site leak can still allow sessionIDs from the
gmail website to be read by a malicious website. Since a "stolen"
sessionID is indistiguishable from the real one, code from the malicious
site will still access gmail's data without triggering another
authentication request.

Browsers on phones are a (relatively) new thing, so I expect them to
have more undiscovered (unreported) vulnerabilities than the more mature
browser software on desktops. And since phone browsers are tweaked for 
different hardware platforms and different phone carriers' whims, every
variation can introduce more vulnerabilities than on their more limited
desktop cousins.

And "optimizing" Web sites and applications for mobile viewing can
introduce more vulnerabilities yet.

And having a separate phone app for GMail, Hotmail, Yahoo Mail,
Facebook, Twitter, LinkedIn, &c. means that each app can have its own
set of unique vulnerabilities. 

With so many different apps, platforms and sites the pool of eyeballs
becomes shallower than the pool of bugs [1].

> Thinking phones could be a big problem in the near future.

 Yup.

--Bob.

[1] cf. Linus's Law: Given enough eyeballs, all bugs are shallow.
http://catb.org/~esr/writings/cathedral-bazaar/cathedral-bazaar/ar01s04.html

Bob Jonkman <bjonkman at sobac.com>         http://sobac.com/sobac/
SOBAC Microcomputer Services              Phone: +1-519-669-0388
6 James Street, Elmira ON Canada  N3B 1L5  Cell: +1-519-635-9413
Software   ---   Office & Business Automation   ---   Consulting 


On 13-02-14 05:31 PM, chaslinux at gmail.com wrote:
> So I had this happen recently on my gmail account. I'm thinking that an app I installed on my phone (whatsapp - a messenger-style app) may have provided a way in for someone.
>
> Whatsapp seems to scour your phone's contacts to search for active whatsapp users with the same address. I don't know in my case because I never got to see full headers from those who got spammed (and it may not have helped anyway). In my case I changed my password immediately and set up 2 factor authentication for gmail (message gets sent to my phone with a code that let's me activate each computer I want gmail on).
>
> Thinking phones could be a big problem in the near future.
> Blog: http://www.charlesmccolm.com/
> www: http://www.rebuild-it.com/
> Sent from my cell phone.
>
> -----Original Message-----
> From: Paul Nijjar <paul_nijjar at yahoo.ca>
> Sender: "kwlug-disc" <kwlug-disc-bounces at kwlug.org>
> Date: Wed, 13 Feb 2013 22:37:54 
> To: KWLUG discussion<kwlug-disc at kwlug.org>
> Reply-To: KWLUG discussion <kwlug-disc at kwlug.org>
> Subject: Re: [kwlug-disc] OT: Hotmail/Yahoo account breakins
>
>
> That link paints a coherent story (the first I have understood). Even
> without a zero-day vulnerability: cross-site scripting.
>
> Does this make sense?
>
> 0. Amelia's hotmail account gets hacked. 
> 1. Burinder is a contact in Amelia's address book, and Burinder gets
> mailed a mysterious link. 
> 2. Burinder clicks the link, which launches the XSS attack. Now the
> attacker (or worm) can spam all of Burinder's contacts. 
>
> I guess that works, but it does not feel like the whole story. 
>
> - Does Burinder need to be using Hotmail if Amelia was? (My guess is
>   no -- the XSS page might have exploits for a wide variety of webmail
>   systems). 
>
> - Does Burinder need to use webmail for this to work? (My guess is
>   yes, since the attack depends on XSS. If Burinder is not logged into
>   his webmail, then the XSS can't execute? Maybe that is wishful
>   thinking.) 
>
> - Can the attacker log into Burinder's account several days after the
>   exploit has been executed? (My guess is that this should not be
>   possible. Maybe long-lived cookies would allow this? This is why I
>   feel the story is incomplete -- I think certain accounts send bad 
>   messages for many many days.) 
>
> - Can web-browsers protect against XSS attacks of this nature? (My
>   guess is that NoScript can, and it looks like IE and Chrome have 
>   some XSS protection, but I do not know anything beyond that. Is
>   there any protection for Firefox?)
>
> - Does Burinder changing his password help? (I don't know at all.) 
>
>
> Is this story even plausible?
>
> If anybody has other stories (or better yet information that goes
> beyond speculation) then I am very interested. 
>
> - Paul
>
> On Wed, Feb 13, 2013 at 09:13:02PM -0500, Bob Jonkman wrote:
>> There are also known Cross-Site Scripting attacks that can steal session
>> cookies and IDs if the browser is already logged into Yahoo:
>> https://krebsonsecurity.com/2012/11/yahoo-email-stealing-exploit-fetches-700/
>>
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20130214/d3853167/attachment.bin>


More information about the kwlug-disc mailing list