Skip to main content

2-Year Hole In Yahoo Open to Spammers

It must hurt to discover that a hole in the barricade has been present for two years, unknowingly letting the enemy infiltrate the inner sanctum. That's basically what Ryan Barnett, director of application security research at Breach Security, told The Register in regards to Yahoo's network. Apparently, spammers have taken a hold of the security exploit for the same number of years, allowing them to send email with valid Yahoo IDs and to "brute-force" attack other Yahoo Mail accounts for login credentials.

The problem, says Barnett here on this blog, is that a web application is creating the back door in part because it's automating the login process. Unfortunately, the application does not carry out the same security checks as used on Yahoo's login page. "If the front gate of your castle is your login page to Yahoo Mail, they've done a good job of securing it," he told The Register. However he added that the secondary, less secure web application amounts to "some sort of water tunnel that the bad guys are walking right through."

He also told the Register that "a few thousand" or more attempts to use the unprotected web application were carried out over the last seven weeks, all looking to brute-force attack accounts for user passwords. Unfortunately, that may only be a small fraction of the overall invasion; the sensor deployed by the Web Application Security Consortium was installed on just one "of a massive number of open proxies."

Barnett said that he's known about Yahoo's backdoor bug for years, and revealed the problem to Yahoo back in 2007. He said that the problem still hasn't been fixed as of Friday.