[kwlug-disc] OT: Hotmail/Yahoo account breakins

Bob Jonkman bjonkman at sobac.com
Fri Feb 15 03:36:13 EST 2013

Khalid wrote:
> I have NEVER ever used Yahoo Mail or Hotmail on a mobile device, so
> that is not the attack vector for sure.

Not for you, perhaps, but that doesn't rule it out as an attack vector.

unsolicted wrote:
> Something else not mentioned thus far: only read e-mail in plain text. 

If you're reading plain text e-mail in a browser (or a browser-capable
MUA) then you're still vulnerable to XSS.  As long as you're
authenticated to an e-mail service and have Javascript enabled, then
another Web site viewed at the same time can exploit XSS vulnerabilities
and execute scripts on the e-mail site.  Chrome makes XSS more difficult
by isolating each window (tab?) in its own Javascript sandbox, but
vulnerabilities were still discovered  during a Google-sponsored
hackathon (they've been fixed).  Remember that clicking on a link isn't
required - just opening a message or Web page containing Javascript is
enough to trigger an exploit. Most web-based mail sites and
browser-enabled MUAs have a setting to disallow remote content. I
couldn't find a "Preferences" control in Thunderbird to disable
Javascript, although it can be disabled in the Config Editor.

But if you meant "only read e-mail in a text-only MUA like Mutt" then
you're probably safe from XSS. (Is there any text-based browser or MUA
that executes Javascript?)

I can understand a browser-capable MUA like Thunderbird being vulnerable
to XSS if the mail access (POP, IMAP) session credentials are shared
with the HTML browser session credentials, but that would be a really
bad security model and I'm 99 44/100% sure that kind of code would never
exist in an open source project like Thunderbird.

And just to up the paranoia level a notch, CSRF (Cross Site Request
Forgery) is another attack across different browser windows, but doesn't
require Javascript (so disabling Javascript is no protection). 
Wikipedia has a good example at https://en.wikipedia.org/wiki/Csrf 
NoScript protects against CSRF too.


> On 13-02-14 09:44 PM, Khalid Baheyeldin wrote:
>> On Thu, Feb 14, 2013 at 9:32 PM, unsolicited <unsolicited at swiz.ca>
>> wrote:
>>> Worth forwarding all accounts to your trusted / preferred server, where
>>> you can use your (sandboxed?) trusted e-mail client / browser/e-mail
>>> combo?
>>> (Isn't gmail supposed to have some pretty good malware detection
>>> behind it?)
>> In theory, yes.
>> But not all services provide forwarding nor POP/IMAP (AFAIK, only Gmail
>> allows it).
> MANY do, including hotmail and yahoo. Live, gmail, rogers, the list
> goes on.
>> Further more, I used Gmail for its features, like spam protection,
>> threading, good compose features, ...etc.
> Which you would be gaining for all these other accounts as well.
>> And I don't want to run my own POP/IMAP server.
> Which is fine, I wasn't suggesting you should.
>> And the attack vector was not Gmail. It was definitely Chromium and
>> Yahoo
>> Mail.
> > So all of that does not solve anything in this case.
> Which is my POINT. If you were reading Yahoo in Gmail, taking
> advantage of the features you like, that attack vector is closed for
> you - you are never in Yahoo to be exposed to those holes.
>> Something else not mentioned thus far: only read e-mail in plain text.
>>> Switching to non-plain text on a per message, judicious, basis.
> I didn't say it does. It's just another element of the various other
> steps that can be taken.
>> If someone sends you a URL, and you have plain text email in your
>> client,
>> and you copy and paste it, then it is the same as clicking it from HTML.
> Not necessarily so.
> First, an URL in plain text is just as clickable as in non-plain text.
> Second, that presumes you're reading the message in a browser not an
> e-mail client.
> Regardless of where you click it, if the result is in, say, Firefox
> with NoScript, then you are leveraging the precautions you have taken
> there that might not be present in a standalone client.
> If you're in Firefox / NoScript and webmail reading, then you're
> protected from this anyways, as you said, by those same precautions.
> And from many of the nefarious html scripting and nonsense fiddly bits
> that come along in various other ways - that are not active script in
> plain text reading. Such as calls to invisible graphics from tracking
> sites - the very fetch request of which tells them that you got it,
> where you're from, and so on and so forth.
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20130215/295458a5/attachment.bin>

More information about the kwlug-disc mailing list