dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
4
share rss forum feed


DC DSL
There's a reason I'm Command.
Premium
join:2000-07-30
Washington, DC
kudos:2
reply to mattrixx

Re: E-Mail "Contact List" Hack

I had wondered about this myself but never got a chance to post the query. Over the last month I have been receiving increasing amounts of spam from people I know who have (or had) Yahoo addresses and are addressed to their address book. It is a certainty that Yahoo was compromised and not just some malware infestation of client computers. I just received 6 messages this morning from an account I created solely for testing a specific development project 5 years ago that no one has used since (I am the only one who has the password and it was never kept online or emailed anywhere. On top of that, the password was part of a GUID which means it couldn't have been simply broken via dictionary or brute force.)

I reported this to Yahoo and all I got was an autoresponder telling me how to report spam and how to identify scam emails, and to contact them if I have any questions. Replying to that addy just got another autoresponder telling me the same thing. Dollars to donuts they know they were hacked and are working on saving face before admitting it.
--
"Dance like the photo isn't being tagged; love like you've never been unfriended; and tweet like nobody is following."



NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:11
Reviews:
·SONIC.NET

said by DC DSL:

I reported this to Yahoo and all I got was an autoresponder telling me how to report spam and how to identify scam emails, and to contact them if I have any questions. Replying to that addy just got another autoresponder telling me the same thing. Dollars to donuts they know they were hacked and are working on saving face before admitting it.

Based on the post about hijacking session cookies, I wonder if "hack" is the appropriate term?

I have several Yahoo! accounts, from the first, signed up July 7, 1999 to the latest, signed up October 26, 2011. They cover a variety of domains, from the original 'yahoo.com', through the ISP domains ('pacbell.net'), to the "free for all" 'att.net'. None have been compromised.

But I haven't clicked on any dubious links in email. I suppose it also helps that I sign out fully, which shortens the window of opportunity to hijack a session.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


DC DSL
There's a reason I'm Command.
Premium
join:2000-07-30
Washington, DC
kudos:2

1 recommendation

said by NormanS:

Based on the post about hijacking session cookies, I wonder if "hack" is the appropriate term?

I have several Yahoo! accounts, from the first, signed up July 7, 1999 to the latest, signed up October 26, 2011. They cover a variety of domains, from the original 'yahoo.com', through the ISP domains ('pacbell.net'), to the "free for all" 'att.net'. None have been compromised.

But I haven't clicked on any dubious links in email. I suppose it also helps that I sign out fully, which shortens the window of opportunity to hijack a session.

No, it's a hack. The account of mine and, as far as I have been able to determine, the dormant accounts of friend had not been accessed in any way for years. The computers I used back then were decommissioned and nothing from them was ported forward. Also none of the people I know whose active Yahoo accounts are spewing were clickjacked or have malware infestations, don't have any Yahoo software, don't use mobile access. So, unless there's some new way of getting account credentials that aren't in any way available on a computer, or aren't being bandied about for unsecured wifi sniffing, this is inside-out access.
--
"Dance like the photo isn't being tagged; love like you've never been unfriended; and tweet like nobody is following."


NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:11

If what you say is true, then it would appear that a Yahoo! employee has violated his trust. Which also isn't "hacking", per se.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum



DC DSL
There's a reason I'm Command.
Premium
join:2000-07-30
Washington, DC
kudos:2

I think a breach from outside is far more likely.



NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:11
Reviews:
·SONIC.NET

said by DC DSL:

I think a breach from outside is far more likely.

I would think that an "outside-in" breach would be pretty far-reaching, and affect more users than the handful who have reported this issue.
.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


DC DSL
There's a reason I'm Command.
Premium
join:2000-07-30
Washington, DC
kudos:2

Handful of reports here, perhaps. I'm getting spam from over 100 addresses.



NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:11
Reviews:
·SONIC.NET

said by DC DSL:

Handful of reports here, perhaps. I'm getting spam from over 100 addresses.

I have, maybe, thirty-six contacts with some variation of Yahoo! Mail addresses, including 'pacbell.net, 'sbcglobal.net', and the core 'yahoo.com' addresses. The only one who had an account hijacked lost her 'msn.com' account. In fact, I'd guess, based on reports I have seen, MSN has a larger problem than Yahoo!.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


DC DSL
There's a reason I'm Command.
Premium
join:2000-07-30
Washington, DC
kudos:2

All core Yahoo. I haven't seen any actual msn/live/hotmail spam (originating from their server, not spoofed) for well over a year.



NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:11
Reviews:
·SONIC.NET

I did have one of my 'yahoo.com' email addresses forged, once, a decade ago; nothing that was ever hijacked. The only accounts I've personally encountered that were hijacked were 'aol.com', and 'msn.com'. Neither were mine.

All of the major web mail providers seem to be prone to this problem.

I've had to play "CAPTCHA" with Yahoo! recently because I've moved residence about three times since last February; with the corresponding IP address changes. So their underlying security features seem to be functional.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum



DC DSL
There's a reason I'm Command.
Premium
join:2000-07-30
Washington, DC
kudos:2

These aren't spoofed. They are going out through Yahoo's servers.



NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:11
Reviews:
·SONIC.NET

said by DC DSL:

These aren't spoofed. They are going out through Yahoo's servers.

Can you post example headers?
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


DC DSL
There's a reason I'm Command.
Premium
join:2000-07-30
Washington, DC
kudos:2

Why are you trying so hard to try and pin it on users and NOT a breach or other form of compromise?



NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:11
Reviews:
·SONIC.NET

Because Yahoo! pays me $10,000,000 per month to do so?

Or, possibly because I've seen no credible evidence of an "outside-in" breach. And I have seen many examples online, and two witnessed, of user error.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum



DC DSL
There's a reason I'm Command.
Premium
join:2000-07-30
Washington, DC
kudos:2

Are you a Yahoo employee or someone in an official capacity to do anything? If so, then PM me your information and I will verify it. Lose the attitude, regardless.

As I said, I absolutely know for fact that there is NO POSSIBLE WAY the test address I created years ago could have had its credentials obtained in any manner other than someone getting their hands on the account data. It was never used for anything but testing a site I was developing and then never used again after that. The only contacts it had in the address book were some test addresses at the target domain and my domain; in fact, no one else ever knew it existed. The name, password, and answers to the security questions were from GUIDs that I generated so the chances that anyone guessed 1 of them, much less all, are so infinitesimally low they are nil. What makes clear that the information was obtained from inside is the address book: It contained *every* address I had entered into it, including ones I had deleted.

According to RIPE, the originating IP appears to be an Android mobile browser in Israel. All of the IPs between it and my mail server check out as valid Yahoo addresses.
--
"Dance like the photo isn't being tagged; love like you've never been unfriended; and tweet like nobody is following."



NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:11
Reviews:
·SONIC.NET

I wanted to see at least this line:

Received: from akari.aosake.net (Y!_User@108.219.37.227 with login)
        by smtp203.mail.ne1.yahoo.com with SMTP; 01 May 2012 08:55:09 -0700 PDT
 
But to get access to the contact list would require logging in at 'mailo.yahoo.com'. And to get the the user login data from where ever Yahoo! stores it would be gold mine to the hacker; and should result in such a flood of exploits it would be top-of-the-page news on many sites, besides this one.

Again, Hotmail has been more severely exploited than Yahoo!.

--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


DC DSL
There's a reason I'm Command.
Premium
join:2000-07-30
Washington, DC
kudos:2

I'm NO beginner at reading headers and I know how to use WHOIS.

The only way I know of to be able to get *DELETED* contacts would be to have copied the records from the underlying datastore...the web UI offers no means of accessing them. So, this cannot be anything but some exploit of the backend.



NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:11
Reviews:
·SONIC.NET

I see another post on this subject; so what do you recommend as the best seasoning for crow?

»AT&T Yahoo web mail compromised

I found an ancient (decade old, anyway), deactivated Yahoo! account and played with reactivation. Considered playing with password reset.

It doesn't appear to be an outright account hijack. Now I think that there is one more thread on the subject; goota find it and try to bring the poster here. With enough heads banging on this problem, something has to give way.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


dlstyley

join:2004-08-06
Victoria, TX

I'm the one that started the other thread.

While I certainly acknowledge that my password could have been compromised, this just feels like something else. I've been a computer geek and software/web developer since the 90's and I've never had a problem like this. The rare few instances that I've had an "incident", I've been able to figure out exactly what happened. I've always used relatively strong passwords and never (at least not to my knowledge) had someone get access to my password - so this one is really bothering me.

So much so, that I've scoured my primary machine for any signs of malware that may have slipped in, but numerous scans with different anti-virus/anti-malware software have turned up nothing beyond some basic tracking cookies.

The details above regarding session hijacking appear to be a likely candidate, but I'm surprised it's that easy - seems like modern browsers wouldn't allow one site to gain access to a cookie from another site. Reading the Wikipedia article on session hijacking, it seems like it's more difficult than the snippet above would have you believe.


dlstyley

join:2004-08-06
Victoria, TX

This is what the original message looks like. I blocked out key pieces to protect the innocent (or perhaps guilty...). It seems fishy that they were able to send these via the web mail interface without a copy ending up in the "sent items" folder. They could have deleted the sent items, but that would have been tough to do and not just purge the entire sent items folder (they didn't) with an automated process. It's clear this was an automated process (all the sent timestamps are within 1 minute for dozens of messages). Also, if they were careful enough to remove the sent items (presumably to avoid detection), they didn't bother to get rid of the bounced messages that came back (some came back immediately, some a day later).

Just doesn't make sense... I vote for a Yahoo Web Mail exploit, although I certainly hear those saying that if it were, there would be a lot more noise about this by now.

Received: from [98.138.226.180] by nm3.bullet.mail.ne1.yahoo.com with NNFMP; 04 Jul 2012 16:56:33 -0000
Received: from [209.191.108.96] by tm15.bullet.mail.ne1.yahoo.com with NNFMP; 04 Jul 2012 16:56:33 -0000
Received: from [66.94.237.122] by t3.bullet.mud.yahoo.com with NNFMP; 04 Jul 2012 16:56:33 -0000
Received: from [127.0.0.1] by omp1027.access.mail.mud.yahoo.com with NNFMP; 04 Jul 2012 16:56:33 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: XXXXXX.XXXXX.bm@omp1027.access.mail.mud.yahoo.com
Received: (qmail 67836 invoked by uid 60001); 4 Jul 2012 16:56:33 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sbcglobal.net; s=s1024; t=1341420993; bh=(long hairy key here)=; h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Reply-To:To:MIME-Version:Content-Type; b=(jibberish here)bug=
DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws;
  s=s1024; d=sbcglobal.net;
  h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Reply-To:To:MIME-Version:Content-Type;
  b=(Lot's of alphanumeric text here)
Received: from [190.8.237.113] by web184512.mail.ne1.yahoo.com via HTTP; Wed, 04 Jul 2012 09:56:33 PDT
X-Mailer: YahooMailWebService/0.8.118.349524
Message-ID: <XXXXXXXXXX.XXXXX.YahooMailNeo@web184512.mail.ne1.yahoo.com>
Date: Wed, 4 Jul 2012 09:56:33 -0700 (PDT)
From: XXXXX XXXXXX <dXXXXX@sbcglobal.net>
Reply-To: XXXXX XXXXX <dXXXXX@sbcglobal.net>
To: ABoXXXXX@advXXXXX.com, TABXXXXX@cheXXXXX.com, jmcXXXXX@vicXXXXX.com,
  johXXXXX@hotmail.com, eriXXXXX@utiXXXXX.com, awaXXXXX@jdcXXXXX.com,
  sarXXXXX@yahoo.com, BToXXXXX@advXXXXX.com, jenXXXXX@comXXXXX.com
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="5768801-2078580510-1341420993=:65524"
 
--5768801-2078580510-1341420993=:65524
Content-Type: text/plain; charset=us-ascii
 
http://texasdepartmentofhuman.uwcblog.com/googlesave.html
--5768801-2078580510-1341420993=:65524
Content-Type: text/html; charset=us-ascii
 
<html><body>
<div style="color:#000; background-color:#fff; font-family:times new roman, new york, times, serif;font-size:12pt">
<div><a href="http://texasdepartmentofhuman.uwcblog.com/googlesave.html">http://texasdepartmentofhuman.uwcblog.com/googlesave.html</a></div></div></body></html>
--5768801-2078580510-1341420993=:65524--
 
 


shearer
Northern Lights
Premium
join:2002-06-18
Asia

said by dlstyley:

Just doesn't make sense... I vote for a Yahoo Web Mail exploit, although I certainly hear those saying that if it were, there would be a lot more noise about this by now.

It could also be that whoever is exploiting this vulnerability, assuming it does exist, is looking to keep the whole thing low-key. Taking advantage of the hole on a massive scale could generate too much noise and publicity, waking up the sleepy folks at Yahoo who will then patch the vulnerability ASAP.