[kwlug-disc] OT: Hotmail/Yahoo account breakins
bjonkman at sobac.com
Fri Feb 15 03:36:13 EST 2013
> I have NEVER ever used Yahoo Mail or Hotmail on a mobile device, so
> that is not the attack vector for sure.
Not for you, perhaps, but that doesn't rule it out as an attack vector.
> Something else not mentioned thus far: only read e-mail in plain text.
If you're reading plain text e-mail in a browser (or a browser-capable
MUA) then you're still vulnerable to XSS. As long as you're
another Web site viewed at the same time can exploit XSS vulnerabilities
and execute scripts on the e-mail site. Chrome makes XSS more difficult
vulnerabilities were still discovered during a Google-sponsored
hackathon (they've been fixed). Remember that clicking on a link isn't
enough to trigger an exploit. Most web-based mail sites and
browser-enabled MUAs have a setting to disallow remote content. I
couldn't find a "Preferences" control in Thunderbird to disable
But if you meant "only read e-mail in a text-only MUA like Mutt" then
you're probably safe from XSS. (Is there any text-based browser or MUA
I can understand a browser-capable MUA like Thunderbird being vulnerable
to XSS if the mail access (POP, IMAP) session credentials are shared
with the HTML browser session credentials, but that would be a really
bad security model and I'm 99 44/100% sure that kind of code would never
exist in an open source project like Thunderbird.
And just to up the paranoia level a notch, CSRF (Cross Site Request
Forgery) is another attack across different browser windows, but doesn't
Wikipedia has a good example at https://en.wikipedia.org/wiki/Csrf
NoScript protects against CSRF too.
> On 13-02-14 09:44 PM, Khalid Baheyeldin wrote:
>> On Thu, Feb 14, 2013 at 9:32 PM, unsolicited <unsolicited at swiz.ca>
>>> Worth forwarding all accounts to your trusted / preferred server, where
>>> you can use your (sandboxed?) trusted e-mail client / browser/e-mail
>>> (Isn't gmail supposed to have some pretty good malware detection
>>> behind it?)
>> In theory, yes.
>> But not all services provide forwarding nor POP/IMAP (AFAIK, only Gmail
>> allows it).
> MANY do, including hotmail and yahoo. Live, gmail, rogers, the list
> goes on.
>> Further more, I used Gmail for its features, like spam protection,
>> threading, good compose features, ...etc.
> Which you would be gaining for all these other accounts as well.
>> And I don't want to run my own POP/IMAP server.
> Which is fine, I wasn't suggesting you should.
>> And the attack vector was not Gmail. It was definitely Chromium and
> > So all of that does not solve anything in this case.
> Which is my POINT. If you were reading Yahoo in Gmail, taking
> advantage of the features you like, that attack vector is closed for
> you - you are never in Yahoo to be exposed to those holes.
>> Something else not mentioned thus far: only read e-mail in plain text.
>>> Switching to non-plain text on a per message, judicious, basis.
> I didn't say it does. It's just another element of the various other
> steps that can be taken.
>> If someone sends you a URL, and you have plain text email in your
>> and you copy and paste it, then it is the same as clicking it from HTML.
> Not necessarily so.
> First, an URL in plain text is just as clickable as in non-plain text.
> Second, that presumes you're reading the message in a browser not an
> e-mail client.
> Regardless of where you click it, if the result is in, say, Firefox
> with NoScript, then you are leveraging the precautions you have taken
> there that might not be present in a standalone client.
> If you're in Firefox / NoScript and webmail reading, then you're
> protected from this anyways, as you said, by those same precautions.
> And from many of the nefarious html scripting and nonsense fiddly bits
> that come along in various other ways - that are not active script in
> plain text reading. Such as calls to invisible graphics from tracking
> sites - the very fetch request of which tells them that you got it,
> where you're from, and so on and so forth.
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 263 bytes
Desc: OpenPGP digital signature
More information about the kwlug-disc