Source: Tom's Guide US | Keywords: Yahoo, Application, Email, Spammers, Hole | Themes: The Internet, Software, Networking, Business
There's trouble at Yahoo's back door, and spammers aren't really knocking.
It must hurt to discover that a hole in the barricade has been present for two years, unknowingly letting the enemy infiltrate the inner sanctum. That's basically what Ryan Barnett, director of application security research at Breach Security, told The Register in regards to Yahoo's network. Apparently, spammers have taken a hold of the security exploit for the same number of years, allowing them to send email with valid Yahoo IDs and to "brute-force" attack other Yahoo Mail accounts for login credentials.
The problem, says Barnett here on this blog, is that a web application is creating the back door in part because it's automating the login process. Unfortunately, the application does not carry out the same security checks as used on Yahoo's login page. "If the front gate of your castle is your login page to Yahoo Mail, they've done a good job of securing it," he told The Register. However he added that the secondary, less secure web application amounts to "some sort of water tunnel that the bad guys are walking right through."
He also told the Register that "a few thousand" or more attempts to use the unprotected web application were carried out over the last seven weeks, all looking to brute-force attack accounts for user passwords. Unfortunately, that may only be a small fraction of the overall invasion; the sensor deployed by the Web Application Security Consortium was installed on just one "of a massive number of open proxies."
Barnett said that he's known about Yahoo's backdoor bug for years, and revealed the problem to Yahoo back in 2007. He said that the problem still hasn't been fixed as of Friday.
-
Previous News Article
MSFT Project Pink (Phone) Rumors... -
Next News Article
AT&T's 3G MicroCell is Cell...
Fail yahoo
What is yahoo?
they are way behind the times
I don't get once you authenticate does the page go from a secure HTTPS to a regular HTTP. I think google is the only one you can put the S back in and have the page be secure again. But I could be wrong.
I closed my yahoo account back in 2002 after they started charging for POP access and never went back. At the time they said once I cancel that the user ID would never again be able to be used yet someone has taken it and has been using it I discovered recently. Since the ID was my first initial and last name and there is only one other living person who would share that first initial and last name and they are not using it (I have a very unique last name), then some spammer or other unscrupulous person has my ID and probably using it for nefarious purposes. Way to go Yahoo, kicking me is the ass after what, 7 years?
2007? By now there must be 1-click Yahoo hack programs available for n00bs as well.
I heard they left it there on purpose just to keep their website activity up.
I wonder what percentage of spam and the like comes from Yahoo through this exploit
I use Yahoo mail. Both me and my dad have had our passwords changed on us before. I wonder if this is the reason why. Maybe at some point I'll change to google mail or something, but, what can I say, I'm lazy.
I hate Yahoo, but if you have AT&T service you have no choice.
It sounds like it does not have a check for how many times a user has entered in a wrong password for an account withing a set amount of time. Remember, they did mention that the spammers needed to brute force it.
This just in: Yahoo CEO - Carol Bartz - "Yahoo is not an e-mail provider... it's value lies in its pages..."
Seems like the only thing they kept out of the inner sanctum was Microsoft.
Strange enough, I get less spam on yahoo (personal experience comparison). Maybe spammers were not using yahoo to attack yahoo, or just a coincidence.
Still be best way to avoid spam is to never ever ever give out your address to anybody. You know those massive forwards that people don't even bother to edit previous forwards or put the list in BCC and you or anybody (spammers included) get great edited lists of mail addresses. Basically stop using e-mail
.