It seems the trouble of “Password Reset” is far from over, the latest in the world of 0Day is all about bypassing Hotmail, Yahoo (yes Yahoo!! – we have been saying about it for quite some time) and AOL – password reset functionality.
The method remains the same, using tamper data with firefox and modifying the POST data to gain access to the password change option.
After taking a look at these 0Day vulnerabilities, we believe that there still exists a vulnerability in Yahoo, which allows the attacker to gain unprivileged access to the victims address book and email sending functionality.
A few weeks back we had issued an advisory for Yahoo Users which can be found here. We urge all yahoo users to follow the steps and secure themselves , but this is useful only upto a certain extent and will not protect you against Password Reset functionality.
Web-Email Users are also advised to segregate their password management and follow the tips provided to ensure that during such attacks the footprint is negligible.
How to segregate your passwords is mentioned in this blog-post.
According to our past experiences, we have understood that, 2-factor authentication and password change notification via mobile phone without the need for secondary email id works the best.
Recently researchers have found a vulnerability in Yahoo Android Application which allows the attacker to gain access to the users cookie and thereon gain access to the account. The attacker also has the ability to send emails.