Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: 1 [2]

Author Topic: Yahoo account hacked  (Read 9725 times)

sevenlayermuddle

  • Helpful
  • Kitizen
  • *
  • Posts: 3329
Re: Yahoo account hacked
« Reply #15 on: April 26, 2013, 11:51:05 PM »

  This could also explain why the contacts disappeared later... ie when the session expired...

Getting out of my knowledge and 'comfort zone' on this one, but it is possible that the contacts disapeared about the time I changed the password.  I guess that password change might have forcibly expired the session?
Logged

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 30477
  • Trinity: Most guys do.
    • http://www.kitz.co.uk
Re: Yahoo account hacked
« Reply #16 on: April 27, 2013, 12:44:38 AM »

>>> I guess that password change might have forcibly expired the session?

Very likely -depends just on what is stored in the Yahoo session cookie. 
Session cookies will always expire when the browser page is closed.

Take for eg the adslchecker, I use session cookies for that as it (temp) stores the postcode/phone no.  As soon as new information is input or the page is closed then none of the previous information is remembered.   I choose not to store any of this personal info on my server, but obviously Yahoo will also store login info on their server too.

Depending on the type of XSS attack, then I suppose its not impossible to also pick up new login details too.. I dont know enough about it to say for sure one way or the other. 
What I saw of the code last nite I would imagine its one of the DOM-based vulnerabilities - most likely non-persistent.

Once this info has been reaped, then stage 2 will kick in and send out the spam mails and delete contacts.. (or whatever the hacker wants to use your Yahoo account for), this part of the automated script is hosted elsewhere (probably proxies involved? )... which is why the login shows as coming from a different location than your own.

Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

sevenlayermuddle

  • Helpful
  • Kitizen
  • *
  • Posts: 3329
Re: Yahoo account hacked
« Reply #17 on: April 27, 2013, 08:11:11 AM »

I don't know if it is relevant, but I continue to strongly contest the idea that I may have clicked on any link embedded in my yahoo email.  It's not just that I consider myself too savy, we'd all say that, it is that there was absolutely nothing there other than the test message I'd just sent myself from google.   That Yahoo address is so rarely used that it hasn't even seen any spam, ever.

It is theoretically possible that, in a senior moment, I may have opened a dodgy email in my google mail while the yahoo page was open, but that is still extremely unlikely.   I have double checked all recent emails in my google inbox, and all were legitimate.

If I was duped into visiting another website, I think it must have been by some other means than an email link.
Logged

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 30477
  • Trinity: Most guys do.
    • http://www.kitz.co.uk
Re: Yahoo account hacked
« Reply #18 on: April 27, 2013, 01:31:41 PM »

>> I continue to strongly contest the idea that I may have clicked on any link embedded in my yahoo email

You are not alone in that - other people have also reported the same. 

-----

Ive just tracked down the code again.  Yes it is a DOM based XSS attack, which is taking its information from the session cookie.

  The authors comments are interesting about the Yahoo library being vulnerable, as you will see as you read through the document, Yahoo keep applying patches thinking theyve fixed it , but further exploits continue to be found within other parts of the Yahoo library.

Something to note that in step III - Exploiting the vulnerability that although Abyssec's code specifically shows a click being required, there is mention of a method of triggering the exploit "without even [requiring] a click" by the user.

The more recent hack attempts will likely be based on his code, but with a few tweaks.  What concerns me and what I dont know enough about is his reference to adspecs.yahoo.com.   His code is showing the opening of a new window to adspecs which is where the info is being stolen from. 

Could new and more sophisticated code be implemented which shows an ad from a bad source and doesnt require user interaction.   Im really out of my depth now and know stuff all about adspecs, but what if one of the third party advertisers adverts contained rogue code. 

The above is certainly not beyond the realms of possibility because Zynga had a hack attempt about 3 yrs ago that came via a rogue advertiser XSS script.  Most of those attempts were caught because of browser cross frame scripting.  But adspecs uses the same TLD, and the Abyssec code specifically mentions the avoidance of this problem.   

If ads are rotated or targeted, it wouldnt catch all users, but surely it would still net quite a few accounts!

Is someone is clever enough to piece everything together and write the code for it?   Yahoo's history of security seems to be 'close the stable door after the horse has bolted' and only patch holes rather than plug them beforehand.  Their attitude seems to be denial that it happened rather than checking for more open doors.  :(
Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

sevenlayermuddle

  • Helpful
  • Kitizen
  • *
  • Posts: 3329
Re: Yahoo account hacked
« Reply #19 on: April 27, 2013, 02:20:02 PM »

That's fascinating, thanks for digging it up.  I can't pretend I understand all of it, way out of my league, but I'll read it a few times more and see if comprehension breaks through.

It's actually only second time I ever experienced an attack at first hand, so I was interested to know how it was done.   The other time was when a window system got infected with one of those fake AV progs.    I installed KAV which found & fixed it, but I felt quite smug that it found abosulutely nothing else amiss despite having run Windows for many years without any AV at all.  I do of course insist on an AV nowadays for windows, and might even put one on the MAC now, though I guess it may not have helped this time.

I'm thinking it's a pity I had the Safari browser configured to keep history for just a day, so it has now evaporated.   Otherwise I'd be stepping through the history page by page in a text editor around the time it happened, looking for clues about every websites that got visited.   

I reduced the history size because, for reasons that I'll never accept as being reasonable  ??? , OS/X Safari is well known to be quite a CPU hog, you can often hear the disk heads thrashing mercilessly whenever the browser is open.  Rumours are its chewing over its history trying to 'optimise' something, so I like to keep it short.   But that's off topic, thanks again for the comments.
Logged

sheddyian

  • Kitizen
  • ****
  • Posts: 1089
    • GardenCam Live!
Re: Yahoo account hacked
« Reply #20 on: April 29, 2013, 01:15:15 PM »

Couple of threads popped up regarding Yahoo hacking on Digital Spy forums :

http://forums.digitalspy.co.uk/showthread.php?t=1820548

http://forums.digitalspy.co.uk/showthread.php?t=1821777

So it seems it's still going on!

Ian
Logged

sevenlayermuddle

  • Helpful
  • Kitizen
  • *
  • Posts: 3329
Re: Yahoo account hacked
« Reply #21 on: April 29, 2013, 02:21:00 PM »

Couple of threads popped up regarding Yahoo hacking on Digital Spy forums :

http://forums.digitalspy.co.uk/showthread.php?t=1820548

http://forums.digitalspy.co.uk/showthread.php?t=1821777

So it seems it's still going on!

Ian

Fascinating.

For anybody else affected, I'd mention the following...

...First thing to do is just login, then navigate to the 'recent logins' page.   If you see, in among all the local UK logins, one from (say) Georgia, then it is fair to assume the account was hacked.   You can also check your 'sent' folder, but the hacker can easily delete things they have sent.

You should probably certainly change the password, but if an XSS attack was involved then (kitz may correct me on this), then the same hack will work just as well with your new password, so don't stop worrying about it just because you have a new password.   Continue to be extra careful about opening dodgy-looking emails or, worse, clicking on links within them.

Have to say I'm much happier with Google's security, in particular the two step verification process, which I think would probably prevent the same scenario if anybody ever found a similar XSS attack method on google.
Logged

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 30477
  • Trinity: Most guys do.
    • http://www.kitz.co.uk
Re: Yahoo account hacked
« Reply #22 on: April 29, 2013, 05:21:04 PM »

It does indeed seem like there is a new wave of this, and based on the fact that so many of the more recent attacks have claims that they havent clicked on links, then its not beyond the realms that someone has found another exploit in the yahoo library and has been 'clever' enough to use it without requiring a click.   Although Abyssec's original code required a user click, there is clear mention that a non-click method is also possible.

>> but if an XSS attack was involved then (kitz may correct me on this), then the same hack will work just as well with your new password,

Im honestly not sure.  Because it uses session cookies, if you delete all suspect mail, close the browser and then change the password you should be ok.   
However what is not clear is just how passwords are being reaped...  it would only take another 'bad mail' to trigger the process again..   OR...  if it is somehow coming via a rogue 3rd party adspecs.yahoo.com advertiser script then it could be triggered each time you open your mail.

Put it this way, Im not opening my (mostly dormant) yahoo account to check my own account until I know for sure that Yahoo have sorted their act out.   

It also concerns me that sky have recently moved over to using Yahoo mail, so we could also possibly be seeing a new wave of complaints come from there.   

Id recommend that sky users (or BTYahoo) use POP3 and download mail to their PC rather than use the webmail service.   Its not total security, but at least youre not going to be using a session cookie, and your email client should hopefully have more chance of catching any nasty script attachments.

--------

I should mention that (normally) session cookies are not bad..  most of the Internet wouldnt work without them.  The problem here seems to be that Yahoo has a massive library of its own scripts which are possibly very much out of date and exploitable.   
Most modern browsers would normally pick up XSS type of attacks (like they did with the Zynga attempt - because the XSS came from a different domain name).   -  Unlike the Yahoo hack were it appears to be using http://adspecs.yahoo.com/  and all the scripts (mail included) share the yahoo.com domain and yahoo libraries.

Finally I should also state that Im no expert on this subject and Im only surmising from what information I know from what little Ive done in session cookies and a morbid curiosity in wanting to know how trojans/hacks etc work during my dissertation days.  Im not clever enough to actual write something like this... so Im happy to be corrected if anyone has more info.

Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

sevenlayermuddle

  • Helpful
  • Kitizen
  • *
  • Posts: 3329
Re: Yahoo account hacked
« Reply #23 on: April 29, 2013, 09:41:40 PM »

Where is the activity login page?  I have checked my account and can't find it.

Thanks

gom

Click on your name, 'hello gom' or whatever, pull down 'account info'.  It'll probably ask for your password again.

On the next page, in the left column of second pane, you'll see 'View your recent sign-in activity'

That produces a list of recent signin locations.   You can also click on the box at the top of that column and change 'location' to IP address.   

In my case the locaton was stated as 'Georgia' but by the time I found the IP address facility, I'd logged in too many times and it had dropped off the end of the log.  But the IP address in the header of the emails sent by the hacker was in the range 31.146.92.something .   That is a 'silknet' IP, silknet being Georgia's national telecomms carrier, consistent with the hacker being Georgia-based.

Note I have not published the full IP, and I don't think we should do so.   That may turn out to be unfair if silknet use dynamic IPs in which case the offending IP may by now be reassigned to an innocent by-stander.    If anybody wants to know the '.something' then PM me and I'll tell you.
Logged

HPsauce

  • Helpful
  • Kitizen
  • *
  • Posts: 2464
Re: Yahoo account hacked
« Reply #24 on: April 29, 2013, 09:56:48 PM »

They're obviously doing something to try to mitigate this. I logged into a rarely-used Yahoo (and then normally POP/SMTP) account via webmail from a place I was visiting the other day.
I got asked additional security information AND an email was sent to the "backup" account to warn of the login.
Logged

sevenlayermuddle

  • Helpful
  • Kitizen
  • *
  • Posts: 3329
Re: Yahoo account hacked
« Reply #25 on: April 29, 2013, 10:20:01 PM »

They're obviously doing something to try to mitigate this. I logged into a rarely-used Yahoo (and then normally POP/SMTP) account via webmail from a place I was visiting the other day.
I got asked additional security information AND an email was sent to the "backup" account to warn of the login.

Sounds like they've identified you as a dodgy character, HP.  And who are we to question them?   :angel:

Seriously, that's interesting. I'll be visiting my father's flat next week, I must remember to login again from his IP and see if that happens to me too.
Logged

sevenlayermuddle

  • Helpful
  • Kitizen
  • *
  • Posts: 3329
Re: Yahoo account hacked
« Reply #26 on: May 17, 2013, 09:42:10 AM »

This is getting beyond a joke.  I have another Yahoo account which I'd used only once.  I logged into it when I started this thread to check the log and see it might have been hacked too, it hadn't.

But I just checked again and moments after I'd checked it first time, came what appears to be another hack, from a 'NY US' location.  That's two out of two accounts both hacked.  Plus Geep's and Chrissie's.   This time I received no spam.  The only evidence was the in logfile, which would go unnoticed by the majority of people.  I really wonder now how big this thing might have become?   :o :o

Pattern was similar;  A minute after my own login came another, then a second.  This time both logins were 'browser' logins, whereas before, the first one was 'mobile'.

Much more interesting, by selecting IP address instead of 'location', I can see that the hacker came from two different IPs..  66.196.116., then immediately afterwards, 63.250.196.xxx

From whois....
The first of these is assigned to 'Inktomi Corporation', which I think is now owned by Yahoo Inc
The second is assigned to  'Yahoo! Broadcast Services, Inc'

Make of that what you will.


PS:  More digging I need to amend all of above.

When I logged in this morning, I had to 'reactivate the account', being told that it may have been closed through lack of use.  That didn't surprise me and anyway, it seems closed accounts can be reactivated just by logging ion.  But on further experimentation, if I manually close the account then reactivate it, I ALWAYS see an immediate login from another  63.250.196.124, I guess it's just a Yahoo server doing what I asked it to do.  Maybe I asked for it to be closed a few weeks ago too, and forgot.  So maybe that second account wasn't hacked as such.   :-[

But I am not sure whether or not to be alarmed by the fact that Yahoo admin activity shows up as a normal browser login (from a Yahoo IP) in the 'recent logins', the instant I hit the 'delete' button.  Can't help thinking that might be significant.
« Last Edit: May 17, 2013, 10:31:52 AM by sevenlayermuddle »
Logged

sevenlayermuddle

  • Helpful
  • Kitizen
  • *
  • Posts: 3329
Re: Yahoo account hacked
« Reply #27 on: October 03, 2017, 11:59:51 PM »

Yes this is a thread thatís been dormant for four years.

But interesting all the same.  Seems it wasnít just me affected or just people with (say) names beginning with 7, it was absolutely everybody.    :o

http://www.bbc.co.uk/news/business-41493494
Logged
Pages: 1 [2]