November 26, 2014

Ex-black hat hacker claims to have full backup for one of Yahoo’s domains

(LiveHacking.Com) –  A reformed black hat hacker, who now works as an ethical security researcher and penetration tester, has found zero-day vulnerabilities in several online services including some provided by Adobe, Microsoft, Yahoo, Google, Apple and Facebook. Since the tester, who goes by the name Virus_HimA, ceased black hat activities he started reporting the vulnerabilities to the vendors instead. According to his post on Pastebin, companies like Google reacted quickly to the reported flaws, but others like Adobe and Yahoo moved very slowly and in some cases didn’t even bother to reply to the disclosure emails they were sent.

As a result Virus_HimA has declared his intention to “teach both of them a hard lesson to harden their security procedures.” This is the better of two evils acording to the ex-hacker. “It would make a disaster if such companies vulnerabilities was privately used in the underground and they never know about it! not only their customers been affected but the vendors themselves also suffer from such exploits,” he wrote.

As part of his penetration activities, Virus_HimA claims to have access to:

  • Full files backup for one of Yahoo domains
  • Full access to 12 of Yahoo Databases
  • Knowledge of a reflected-XSS (Cross Site Scripting) vulnerability

The researcher has promised never to use, share, sell or publish any of the Adobe or Yahoo data and exploits anywhere, but rather is keen to establish his reputation. To this end when he released a small sample of data from Adobe, he specially chose to publish critical email addresses including those with a .mil  ending. This got Adobe’s attention which quickly started investigating the case, shut-down the vulnerable web site and emailed him asking for vulnerability details. Apparently Adobe are now working on a patch.

Analysis

This isn’t the first time a frustrated researcher has resorted to public exposure to get a large online business to move quicker with regards to security issues. Back in November PayPal were embroiled in a dispute with a security researcher who reported errors under PayPal’s security bounty scheme. A few weeks later Skype had to move quickly to fix an account hijacking flaw after it was posted online. The problem was that Skype had been made aware of the flaw some three months before hand.

The ethicality of such public exposure is questionable, however until some of the big online companies start to take these private disclosures more seriously they will continue to happen.

Egyptian hacker selling Yahoo! Mail exploit for $700

(LiveHacking.Com) – An Egyptian hacker is selling a zero-day exploit for Yahoo! Mail that lets an attacker hijack email accounts. The hacker is offering the exploit for $700 on a hacking related black market website. The exploit uses a  cross-site scripting  (XSS) vulnerability in yahoo.com that allows an attacker to steal cookies. Once the cookie has been stolen the attacker can send or read email from the victim’s account.

The hacker created a video for potential buyers on the Darkode cybercrime forum. In the video a method for accessing the victim’s account is demonstrated. For the exploit to work the attacker must trick the user into clicking on a specially-crafted link. Brain Krebs has got hold of the video and posted it to YouTube.

As part of the sales pitch the hacker wrote, “I’m selling Yahoo stored xss that steal Yahoo emails cookies and works on ALL browsers. And you don’t need to bypass IE or Chrome xss filter as it do that itself because it’s stored xss. Prices around for such exploit is $1,100 – $1,500, while I offer it here for $700. Will sell only to trusted people cuz I don’t want it to be patched soon!” Notice how his uses his entrepreneurial skills to drop the price to just $700.

Brain Krebs has informed Yahoo! of the problem. According to Ramses Martinez, director of security at Yahoo!, the problem for the engineers is to work out exactly which URL is susceptible as it isn’t clear from the video. Once found it should be easy enough to fix.

XSS attacks are unfortunately all too common. The site Xssed.com hosts an archive of reported XSS vulnerabilities  including several examples of other XSS flaws in yahoo.com CSS attacks work by getting an unsuspecting user to click on a  malicious link. Once clicked a script is executed, and can access cookies, session tokens or other sensitive information stored by the victim’s browser. This information can then be stolen by the attacker.

Yahoo! fixes security holes which let hackers in but password list still available online

(LiveHacking.Com) – Yahoo has fixed the flaws in its Yahoo! Contributor Network  that allowed hackers to steal details for over 450,000 accounts and publish them online. According to a post, published on Yahoo’s corporate blog, Yahoo confirmed that the stolen data was in a  standalone file that contained approximately 450,000 email addresses and passwords belonging to writiers who had joined Associated Content prior to May 2010, when it was acquired by Yahoo!.

“We have taken swift action and have now fixed this vulnerability, deployed additional security measures for affected Yahoo! users, enhanced our underlying security controls and are in the process of notifying affected users.  In addition, we will continue to take significant measures to protect our users and their data,” wrote Yahoo.

The hack was performed by a group going by the name of ‘d33ds’. The hackers got the details from the Yahoo.com subdomain dbb1.ac.bf1.yahoo.com using, it is thought, a SQL injection. The passwords extracted were in clear text. The details were posted, for a short time,  on the the groups’ website, however due to the massive traffic generated the servers went offline. The group has now moved the archive to other 3rd party servers and the file is still available.

An analysis of the credentials showed that the most common passwords were: 123456, password, welcome, ninja, abc123, 123456789, 12345678 , sunshine, princess and qwerty.

For users who joined the then Associated Content before May 2010 and used a Yahoo! email address, Yahoo! is recommending that they log in and answer the series of authentication questions to change their password.

Over 450,000 Yahoo accounts hacked and published online

(LiveHacking.Com) – A group going by the name ‘d33ds’ has reportedly taken details of 450,000 accounts from the Yahoo.com subdomain dbb1.ac.bf1.yahoo.com.  It is thought that a SQL injecton was used to extract the account information from a Yahoo! database. The passwords extracted were in clear text. The details were posted online on the the groups’ website, however that now appears to be offline.

Before the list went offline, security researcher Anders Nilsson was able to run an analysis using  the password analyzer Pipal to discover which were the most common passwords and domains. The full password analysis is on Pastebin. The top 10 passwords were: 123456, password, welcome, ninja, abc123, 123456789, 12345678 , sunshine, princess and qwerty.

Other interesting stats from the analysis show that most passwords were 6 to 9 characters long (over 71%) and that half of the passwords used only lowercase alpha numeric characters. One third only used lowercase letters for the passwords.

Yahoo Messenger Zero-Day Exploit Can Change Status Messages

(LiveHacking.Com) – A zero-day exploit has been found in Yahoo! Messenger 11 (including the recently released 11.5.0.152-us) that allows a remote attacker to alter status messages without user interaction or permission.

The vulnerability is in how Messenger processes files send to a user. Using a specially crafted $InlineAction parameter, and iFrame can be loaded which swaps the status message for that of the attackers. Furthermore this false status message can contain a link (which could then be used to spread malware).

As messenger users are expecting messages from their chosen group of contacts (friends) then these rogue messages have a high click through rate. Once the link is clicked malware can be installed via known Java, Flash, PDF or IE exploits.

There is also a potential for cyber criminals to try and make money using this new exploit.

Someone can easily set up an affiliate account, generate custom links for products in campaign, then massively target vulnerable YIM victims to change their status with the affiliate link. Then, they just wait for the contact-generated traffic to kick in. There are actually a couple of services that pay YIM users to change their status with custom links as part of their business.

The quickest work around for this vulnerability is to ensure that you have Yahoo! Messenger set to “ignore anyone who is not in your Yahoo! Contacts”, which is off by default.

Yahoo’s Privacy Chief Moves to Google

(LiveHacking.Com) – Yahoo’s chief trust officer Anne Toth has joined Google as head of privacy for Google+. Although Google already has a privacy chief, Google needs as much help as it can get in the forming it privacy policies after it agreed earlier this year to undergo regular privacy audits for the next 20 years.

The deal, which was struck with the US Federal Trade Commission, came in the aftermath of Google’s failed Buzz social network which Google incorporated into Gmail without seeking the permission of its users. In the deal Google must hire an outside auditor to conduct an independent review of its privacy policies every two years and obtain users’ permission before altering how it shares user information with third parties.

Anne announced her move on Google+ on Friday:

Excited to be joining Google and the Google+ team next week. Today I’m enjoying my one, solitary day of unemployment. I love everyone who told me to take time off between jobs but I’m too Type A for my own good.

During her tenure at Yahoo!, Anne tried to embed privacy as part of the culture and headed a “privacy by design” approach to developing new products and features.