[kwlug-disc] OT: Hotmail/Yahoo account breakins

Bob Jonkman bjonkman at sobac.com
Wed Feb 13 21:13:02 EST 2013 

I have no proof (or, in fact, any evidence at all), but I suspect it has
something to do with poor implementations of OAuth or other distributed
login mechanisms. F'rinstance, those non-Facebook sites that encourage
you to log in with your Facebook ID, or in your particular example,
logging in to non-Yahoo sites with your Yahoo login ID.

There have also been examples of being able to access others' mailboxes
by URL munging sessionID parameters.  There's a lovely how-to at
http://www.codeproject.com/Articles/32545/Exploring-Session-in-ASP-Net#40

There are also known Cross-Site Scripting attacks that can steal session
cookies and IDs if the browser is already logged into Yahoo:
https://krebsonsecurity.com/2012/11/yahoo-email-stealing-exploit-fetches-700/

--Bob.

Bob Jonkman <bjonkman at sobac.com>         http://sobac.com/sobac/
SOBAC Microcomputer Services              Phone: +1-519-669-0388
6 James Street, Elmira ON Canada  N3B 1L5  Cell: +1-519-635-9413
Software   ---   Office & Business Automation   ---   Consulting 


On 13-02-13 07:47 PM, Paul Nijjar wrote:
> I think I probably asked this before, but maybe there are updates now
> that it is 2013. For a while now (at least since Sept 2010) there has
> been a spate of attacks on webmail accounts. I want to know the
> mechanism. 
>
> In one case I believe somebody got infected after clicking on a
> link they had received from one of their contacts (who had
> also been attacked). I do not think the victim entered password
> information into the target page; I think they may have just opened
> the page. Is this possible? What is the mechanism that allows one into
> a Hotmail or Yahoo account this way? 
>
> It looks like clicking on bad attachments can also trigger breakins. 
>
> In most cases it looks like the passwords of the infected accounts are
> not changed. The usual advice seems to be "change your password". Is
> this correct advice? What should people do if they have had their
> account cracked?
>
> Does this affect only the web interface, or can you be infected if you
> check your email via an IMAP or POP download of the mail onto a fat
> client like mutt or Thunderbird?
>
> I know that some of you deal with mail systems, and since you are all
> smart I thought I would ask about this here. From time to time I look
> on the internet for explanations about why this happens, but so far I
> have not found satisfying explanations. Even people who are smart
> about computers are getting their accounts cracked. 
>
>
> - Paul
>


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20130213/58254b99/attachment.sig>

More information about the kwlug-disc mailing list