YahooXtra: What actually happened?
Unless you've been living under a rock you would have heard about the massive issues encountered by Yahoo and Xtra email users over the weekend. But what really happened?
This bomb comes at the end of a tumultuous and rocky month for the Yahoo security team who appear to have been playing cat and mouse with some particularly determined hackers. And now Telecom's YahooXtra service, and a huge number of kiwis, have been caught in the middle.
So what really happened at Yahoo over the last month, and what advice can you give your customers to reduce the likelihood they're caught in future?
Yahoo vs YahooXtra
First things first, and as unpopular as this comment might be, it should be pointed out these issues appear to be as a consequence of problems at Yahoo, not Telecom.
Back in 2007 Telecom's subsidiary Xtra outsourced email management for its half a million users to Yahoo via YahooXtra, a joint venture between Yahoo's Australian arm and Telecom (and now owned 100% by the Aussie Yahooers).
While the move wasn't exactly without problems, and the buck does stop with Telecom, they appear to be as much a victim of this as their Xtra email customers. With the exception of some very poor comms when the story first broke and putting aside the debate on whether they should have outsourced email in the first place, there really isn't a lot the Telecom team could have done to prevent this.
Background: Cookie crumbs
As most readers will know, when you log into webmail (or in fact any website that lets you log in) a small file called a cookie is stored by your web browser containing details of your login. This allows the website to remember you as you travel the site.
Web browsers use a rule called the same origin policy to decide which sites can interact with cookies from a website. In essence this means that only webpages originating from the same domain name as that cookie can access a cookie's data. So if you logged into site1.co.nz then visited site2.co.nz, the second site couldn't access the details of the first site's cookie (but returning to site1 would provide the cookie details).
This concept is hugely important, as if a hacker could gain access to the data stored in your site1 cookie they could potentially copy it, visit the site1 themselves and fool the site into thinking they were you. So for webmail, they could then have full access to your email account including contact list and emails.
There are two types of cookies, session and persistent. Session cookies are temporary and are deleted when you close your browser. Any site where you have to completely log in again if you close your browser are most likely using session cookies.
Persistent cookies stay around for a predetermined period of time (often months or a year), even after you've closed your browser or restarted your computer. If you click the "remember me" box when logging into webmail or TradeMe or any other site, a persistent cookie is used to keep these details between sessions.
So, what has that got to do with Yahoo?
Yahoo exploit apparently bought for $700
This whole sordid tale appears to date back to November last year when a hacker going by the name of TheHell discovered a major vulnerability on Yahoo's servers, then sold it on a black hat security forum for $700.
Yes, you read that right. This entire episode and the huge disruption for Yahoo and Xtra and their customers appears to have been caused by a script kiddie who bought the hack off the Internet for just $700. The mind boggles.
So how did it work?
The vulnerability appears to have hit Yahoo simply because admins of the Yahoo Developers Network were particularly slack in keeping their blog software up to date. The hack reportedly exploited a well known and widely publicised 9 month old hole in a component of the WordPress blogging software on the Yahoo subdomain developer.yahoo.com.
Because developer.yahoo.com is a sub-domain of yahoo.com, cookies for yahoo.com, such as the cookie used to store who you are and the fact that you've logged in, are accessible to that site. The vulnerability allowed the hackers to plant a script on the developer site which read the Yahoo login cookie from any browser that called it and sent it "home" to the hacker. Once they had this, they had full control of a victim's Yahoo (and by extension YahooXtra) email accounts to do with as they pleased.
So at that stage all the hacker had to do was get you to visit another third-party web page loaded with the payload. As long as you were using a browser that had a cookie stored from a previous visit to Yahoo or YahooXtra that third-party site would then call the script on developer.yahoo.com and lift your cookie - thereby gaining access to your account.
And here's the clincher - this likely worked with persistent cookies too - meaning you only had to have logged into Yahoo or YahooXtra sometime in the last year or so in the same browser, and ticked the "remember me" checkbox, to be vulnerable. You might not have actually used the account for months.
Here's one of several "proof of concept" videos that circulated during January:
For the hackers to get access to your account, however, they had to get you to visit a webpage that had the XSS attack code on it. This could actually be on any page on the web they could load the script. To gain access to as many accounts as possible, the hackers combined the exploit with an automated worm-like email designed to propagate through Yahoo's users.
This has been described by some as a "phishing email", however this is not correct. A phishing email is designed to trick you into giving up your login or credit card details on a page that appears to be your bank, webmail, auction site or whatever. But there was no phishing here - simply a link that directed you to a webpage that then used the vulnerability on the Yahoo Developers Network to lift your cookie info and gain access to your webmail account.
As a rule, users should reasonably expect to be able to follow any link or visit any webpage without having their email auto-magically hacked without warning. Despite earlier reports, getting caught by this was not the fault of its victims in any way.
Once the hackers had access to your account, a script ran which then sent an email to everyone in your address book, purporting to come from you by name and email, telling them to take a look at a particular link. And, of course, at the other end of the link was... the exploit.
As would be expected, most recipients clicked on the link, at which point if they had a Yahoo or YahooXtra cookie it was copied, their mailbox accessed, contact list snatched and the link sent on again to all their contacts. And so on.
It would appear that despite knowing there was allegedly a vulnerability since at least last November, the propagation stage of the process continued on for about a month - most of January - before the vulnerability was finally patched by Yahoo. During the month the hacker and Yahoo seemed to play cat and mouse, with Yahoo claiming it was fixed then new variants of the attack being found.
Last weekend's YahooXtra spam attack
Details are still a little scarce on last weekend's YahooXtra attack, however it's looking increasingly likely, outwardly at least, that it was simply a spam attack using information propagated from the earlier vulnerability rather than a continuation of the propagation.
There are three reasons to draw this conclusion. Firstly, it appears that in many cases the emails were sent when people were away from their computers and during the weekend (when email use drops considerably). Secondly, the nature of the emails sent points to an attempted credit card scam rather than re-propagation of the vulnerability, although it could have been both of course. But mostly, because examining the email headers suggests they originated off Yahoo's network. They seemed to have come from all over the place, meaning they were most likely sent via an existing botnet.
What's particularly concerning is there are widespread reports that the recipients of the suspect emails were actually stripped from the to: and from: fields of old emails rather than from the Address Book. We've had a number of members note that when they've looked at their address book vs the old emails in the account, it's been the latter that received these emails.
The reason this is concerning is that it would indicate someone out there has an archive of all the sent and received email from compromised accounts (although headers-only, to snatch the email addresses, would have been far faster).
The other option, of course, is that it's a full continuation of the earlier Yahoo attack via a new variant of the same vulnerability. We certainly hope Yahoo and YahooXtra will be upfront with their customers if this is the case.
New breed of scams
Best case, the hackers now appear to have a list of probably hundreds of thousands of Yahoo and YahooXtra email addresses, names, and - worryingly - contacts. The net result is that phishing and scam emails have probably now changed forever.
What do I mean by that? The social engineering aspect of not just having a big email list, but also a relationship between email accounts is significant. For example, if they know I'm friends with Andrew, how long before Andrew receives an email like this:
Not sure if you know, but I've been training to run a half-marathon for kids with cancer next weekend and was really hoping you might sponsor me. All money goes to charity.
Just go here to donate - even $5 would be great! Really appreciate it.
Andrew clicks the link, ends up on a site that looks like a donation site, puts in his credit card and… boom! They've cleared it out.
And that could be one of hundreds of social scams enabled by knowing the relationship between email accounts allowing for far more sophisticated scams than most run-of-the-mill online scams we see today.
At worst, the perpetrators also now have a massive archive of emails sent and received from the compromised accounts and could dump that online - potentially the largest privacy breach in New Zealand's history.
We're hoping Yahoo's logs will show the extent of the pontential fallout and that they'll come clean on this - staying mum will cause more damage than being open and transparent with their customers.
What to do about it now?
The long and short of it is, there's very little anyone can do about this breach - it's happened, the horse has bolted and it appears they have the data to launch spam and scam campaigns into the future.
This should never have occurred in the first place of course. But unfortunately this does happen, although there are ways of reducing the possibility:
- If there's a suspicion you've been hit with something like this in future, go straight to your webmail page and log out. Once logged out the session is dead and the account can no longer be accessed. Don't do anything else first - time is of the essence.
- Get in the habit of always logging out after you've checked your email, via the logout button. Don't just close the browser window - that's not good enough. Remember in this case the target email could have come through any email account, not just Yahoo or YahooXtra accounts. As long as the compromised website was accessed by the same browser that had previously accessed Yahoo, the account is potentially vulnerable.
- Contrary to reports, changing your password really isn't going to help in this case (although it may have killed the cookie depending on Yahoo's setup) and updating virus protection wouldn't help either. Although it's still a good idea, of course.
- Even though having to log in all the time is annoying, don't use the "remember me" checkbox on webmail. Remember that this potentially makes your account vulnerable all the time rather than just when you're on the webmail site. It's simply not worth the risk for a little convenience.
Unfortunately this isn't the first major breach at Yahoo. For example, back in July last year hackers used a relatively simple "hacking 101" SQL injection on a Yahoo subdomain to steal 450,000 emails and passwords, releasing them all publicly.
Those responsible for last year's attack left a note for Yahoo:
We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat. There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure.
I suspect there are a great many New Zealanders wishing this advice was heeded a little more thoroughly over the last month.
Paul Matthews is chief executive of the Institute of IT Professionals NZ.
You must be logged in in order to post comments. Log In