Email attack exploits vulnerability in Yahoo site to hijack accounts

The vulnerability is located in an old WordPress version used on the Yahoo Developer Network Blog site, Bitdefender researchers say

Hackers behind a recently detected email attack campaign are exploiting a vulnerability in a Yahoo website to hijack the email accounts of Yahoo users and use them for spam, according to security researchers from antivirus vendor Bitdefender.

The attack begins with users receiving a spam email with their name in the subject line and a short "check out this page" message followed by a bit.ly shortened link. Clicking on the link takes users to a website masquerading as the MSNBC news site that contains an article about how to make money while working from home, the Bitdefender researchers said Wednesday in a blog post.

At first glance, this seems no different from other work-from-home scam sites. However, in the background, a piece of JavaScript code exploits a cross-site scripting (XSS) vulnerability in the Yahoo Developer Network (YDN) Blog site in order to steal the visitor's Yahoo session cookie.

Session cookies are unique strings of text stored by websites inside browsers in order to remember logged-in users until they sign out. Web browsers use a security mechanism called the same-origin policy to prevent websites opened in different tabs from accessing each other's resources, like session cookies.

The same-origin policy is usually enforced per domain. For example, google.com cannot access the session cookies for yahoo.com even though the user might be logged into both websites at the same time in the same browser. However, depending on the cookie settings, subdomains can access session cookies set by their parent domains.

This appears to be the case with Yahoo, where the user remains logged in regardless of what Yahoo subdomain they visit, including developer.yahoo.com.

The rogue JavaScript code loaded from the fake MSNBC website forces the visitor's browser to call developer.yahoo.com with a specifically crafted URL that exploits the XSS vulnerability and executes additional JavaScript code in the context of the developer.yahoo.com subdomain.

This additional JavaScript code reads the Yahoo user's session cookie and uploads it to a website controlled by the attackers. The cookie is then used to access the user's email account and send the spam email to all of their contacts. In a sense, this is a XSS-powered, self-propagating email worm.

The exploited XSS vulnerability is actually located in a WordPress component called SWFUpload and was patched in WordPress version 3.3.2 that was released in April 2012, the Bitdefender researchers said. However, the YDN Blog site appears to be using an outdated version of WordPress.

After discovering the attack on Wednesday, the Bitdefender researchers searched the company's spam database and found very similar messages dating back almost a month, said Bogdan Botezatu, a senior e-threat analyst at Bitdefender, Thursday via email.

"It is extremely difficult to estimate the success rate of such an attack because it can't be seen in the sensor network," he said. "However, we estimate that roughly one percent of the spam we have processed in the past month is caused by this incident."

Bitdefender reported the vulnerability to Yahoo on Wednesday, but it still appeared to be exploitable on Thursday, Botezatu said. "Some of our test accounts are still sending this specific type of spam," he said.

Yahoo did not immediately respond to a request for comment.

Botezatu advised users to avoid clicking on links received via email, especially if they are shortened with bit.ly. Determining whether a link is malicious before opening it can be hard with attacks like these, he said.

In this case, the messages came from people the users knew -- the senders were in their contact lists -- and the malicious site was well-crafted to look like the respectable MSNBC portal, he said. "It is a type of attack that we expect to be highly successful."

Join the PC World newsletter!

Error: Please check your email address.

Tags Internet-based applications and servicesYahooonline safetysecurityMailscamsExploits / vulnerabilitiesinternetbitdefender

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?