Email attack exploits vulnerability in Yahoo site to hijack accounts

The vulnerability is located in an old WordPress version used on the Yahoo Developer Network Blog site, Bitdefender researchers say

Hackers behind a recently detected email attack campaign are exploiting a vulnerability in a Yahoo website to hijack the email accounts of Yahoo users and use them for spam, according to security researchers from antivirus vendor Bitdefender.

The attack begins with users receiving a spam email with their name in the subject line and a short "check out this page" message followed by a bit.ly shortened link. Clicking on the link takes users to a website masquerading as the MSNBC news site that contains an article about how to make money while working from home, the Bitdefender researchers said Wednesday in a blog post.

At first glance, this seems no different from other work-from-home scam sites. However, in the background, a piece of JavaScript code exploits a cross-site scripting (XSS) vulnerability in the Yahoo Developer Network (YDN) Blog site in order to steal the visitor's Yahoo session cookie.

Session cookies are unique strings of text stored by websites inside browsers in order to remember logged-in users until they sign out. Web browsers use a security mechanism called the same-origin policy to prevent websites opened in different tabs from accessing each other's resources, like session cookies.

The same-origin policy is usually enforced per domain. For example, google.com cannot access the session cookies for yahoo.com even though the user might be logged into both websites at the same time in the same browser. However, depending on the cookie settings, subdomains can access session cookies set by their parent domains.

This appears to be the case with Yahoo, where the user remains logged in regardless of what Yahoo subdomain they visit, including developer.yahoo.com.

The rogue JavaScript code loaded from the fake MSNBC website forces the visitor's browser to call developer.yahoo.com with a specifically crafted URL that exploits the XSS vulnerability and executes additional JavaScript code in the context of the developer.yahoo.com subdomain.

This additional JavaScript code reads the Yahoo user's session cookie and uploads it to a website controlled by the attackers. The cookie is then used to access the user's email account and send the spam email to all of their contacts. In a sense, this is a XSS-powered, self-propagating email worm.

The exploited XSS vulnerability is actually located in a WordPress component called SWFUpload and was patched in WordPress version 3.3.2 that was released in April 2012, the Bitdefender researchers said. However, the YDN Blog site appears to be using an outdated version of WordPress.

After discovering the attack on Wednesday, the Bitdefender researchers searched the company's spam database and found very similar messages dating back almost a month, said Bogdan Botezatu, a senior e-threat analyst at Bitdefender, Thursday via email.

"It is extremely difficult to estimate the success rate of such an attack because it can't be seen in the sensor network," he said. "However, we estimate that roughly one percent of the spam we have processed in the past month is caused by this incident."

Bitdefender reported the vulnerability to Yahoo on Wednesday, but it still appeared to be exploitable on Thursday, Botezatu said. "Some of our test accounts are still sending this specific type of spam," he said.

Yahoo did not immediately respond to a request for comment.

Botezatu advised users to avoid clicking on links received via email, especially if they are shortened with bit.ly. Determining whether a link is malicious before opening it can be hard with attacks like these, he said.

In this case, the messages came from people the users knew -- the senders were in their contact lists -- and the malicious site was well-crafted to look like the respectable MSNBC portal, he said. "It is a type of attack that we expect to be highly successful."

Join the CSO newsletter!

Error: Please check your email address.

Tags Internet-based applications and servicesYahooonline safetysecurityMailscamsExploits / vulnerabilitiesinternetbitdefender

More about Yahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place