This is a SECURITY ADVISORY for Yahoo Account users.
Recently researchers have found a vulnerability in Yahoo Android Application which allows the attacker to gain access to the users cookie and thereon gain access to the account. The attacker also has the ability to send emails.
It has been observed that for past few weeks that, junk mails from yahoo account users is being received and some Yahoo users are also complaining about finding unknown emails in their yahoo sent items folder.
Upon closer inspection, we came across a few facts and have gathered evidence pertaining the same. Some of the observations have been outlined below:
1: Most of these users have their hometown in UK as displayed in their account settings.
2: These are some of the default values which are consistent.
3: The security questions are also default and consistent with all these accounts.
4: Access for Mobile has been enabled
5: Login activity from mobile in the Activity logs.
6: IPs used to access the account is from different geographical locations. eg. Japan,Turkey,France, Mexico etc. just name a few. All these IPs are known Proxy Servers.
7: The sent mails have tell-tell signs of being sent from Yahoo i.e. DKIM signatures and other information.
8: Manage Locations having different locations.
We are in the process of analyzing this and some of the assumptions have been outlined below :
1: It seems the Yahoo Accounts Security method has been compromised or there is some issue with yahoo web-api which allows this type of activity.
2: The time frame of start of this attack is supposedly immediately after Yahoo changed its interface.
Request you to do the following when your observe mails in your sent items or as bounce-mail responses in your inbox , which you had never sent.
1: Login activity (IP Address)
2: Manage Apps (drilled down)
3: Manage Other Accounts
4: Profile Information
5: Update password-reset info (make a note of default questions which were selected)
6: Manage Locations
1: Login to yahoo.
2: Click on Sent Items and check for any unknown mail.
3: Click on “Accounts Info”
4: A new tab/window will be opened and you will be asked your authentication, provide the same.
5: Scroll to Sign-in and Security Section
6: Click on “View your recent Login Activity” and observe any anomalous access, especially from “mobile” (as per the observation) and also check for IP address / Location.
7: Check if there has been any login attempt from an unknown IP. If yes then immediately change your password and update your password reset info and do not forget to add and authorize your mobile number.
8: From the Accounts info go to “Manage Apps and Website Connections” and check for any unauthorized app. according to observation “Mobile access” is enabled should be “Removed”
9: From Accounts info go to “Manage other accounts to sign-in” and make a note of all the access which has been enabled and then remove these access rights. After removing these rights verify the list and enable only those sites which you regularly use by logging into these sites.
10: Change Password and Update password reset info.
11: While modifying “Password reset info” choose different questions.
12: From Accounts Info page Click on “Update your contact information” and modify these settings and ensure that you provide correct Country.
13: From Accounts Info Page Click on “Change sign-in settings” and modify it to “1 day”.
14: Sign-In seal is for individual PCs and every PC or Smart Phone you use you have to create and individual Seal. The moment you delete browser cache, the seal also gets deleted. Hence, be careful with this option.
15: Manage Locations, when modifying this section ensure to define your location and delete all other locations which you have not used.
Yahoo has been notified, but it they already had a section “Someone is sending Emails from my Account” section.
Note For Security Researchers
Sample 1: User is presently in BangaloreDomainKey-Signature:a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Received:X-Mailer:Message-ID:Date:From:Subject:To:MIME-Version:Content-Type; b=o6p7HfQJ15Pb9BTNUC8Y2apbtz9Wv6Xj0LBGclgDd4P4it1i/xj9XQKnKlOr+krc3fs/u0OlCd2S3U8OvipT+MeJy3TCAe1AQkMNtwekti2KDCrkALbH8FeRsi1GbVz2SssUohXXLNscQmE+DxmlsSNN8lKFHcrZeLMkYv6lWjo=;
Received: from [220.127.116.11] by web160912.mail.bf1.yahoo.com via HTTP; Thu, 01 Dec 2011 03:12:49 PST
X-Mailer: YahooMailWebService/0.8.115.331698Message-ID: <1322737969.56081.androidMobile@web160912.mail.bf1.yahoo.com>
Date: Thu, 1 Dec 2011 03:12:49 -0800 (PST)
Sample 2: User is presently in MumbaiReceived: from [18.104.22.168] by web34403.mail.mud.yahoo.com via HTTP; Wed, 30 Nov 2011 04:32:40 PST
Date: Wed, 30 Nov 2011 04:32:40 -0800 (PST)
Sample 3: Same User (Sample 2) was in Mumbai on the date mentionedReceived: from [22.214.171.124] by web34407.mail.mud.yahoo.com via HTTP; Tue, 29 Nov 2011 07:19:31 PST
Date: Tue, 29 Nov 2011 07:19:31 -0800 (PST)
Atlast, Yahoo contacted and they needed more Information, well it was promptly provided.
Yahoo! Mail, suffers from CSRF vulnerability, and I was wondering if there is a CSRF for sending mails too?
Yahoo! keeping in tune with GMail has offered Two-Factor Authentication for its Web-Users.
More on the feature:
Once the feature is turned on, any suspicious account sign-in attempt will be challenged by a second sign-in verification beyond the initial password validation. To confirm the legitimacy of the sign-in attempt, you or the hijacker will have to answer your account security question or enter a verification code that will be sent to your mobile phone. Presumably, only you, as the legitimate user, can sign in. Account hijackers will be blocked since they neither know your security answer nor possess your mobile phone.
Users who want to activate the second sign-in verification can do it through the Yahoo! Account Info page. The feature is currently available to users residing in the United States, Canada, India, and the Philippines
and I prefer using my mobile phone number. Now a days its getting difficult to trust anything on the web.
But the core issue of “sending mails through Yahoo!Mobile” is not yet resolved.