Yahoo Mail Breach Linked to Old WordPress Vulnerability

Researchers at Australia-based BitDefender say they’ve found how some Yahoo Mail accounts are being hijacked, and it leads back to “buggy” blog software Yahoo’s developers used.

Researchers at Australia-based BitDefender say they’ve found how some Yahoo Mail accounts are being hijacked, and it leads back to “buggy” blog software Yahoo’s developers used.

For about a month Yahoo Mail account holders have been falling for a scam in which they click on a short link that appears to take them to an MSN/NBC News site. However, it actually is linked to the domain com-im9.net that is registered in the Ukraine and hosted at a data center in Cyprus. A page on the bogus site includes a piece of malicious Javascript masquerading as a Lightbox library, according to a news release issued today. The code connects with the user’s contacts and sends spam under his or her name.

The attack also relies on retrieving session cookies via a subdomain, which attackers were able to access by exploiting a 9-month-old Cross-Site Scripting flaw  — CVE-2012-3414 — in the WordPress blog software used by Yahoo developers. That vulnerability was fixed when WordPress version 3.3.2 was released in April 2012.

“Since it is located on a sub-domain of the yahoo.com website, all the attackers need to do is trigger the bug and pass a command that steals the cookie, and then send it ‘home,'” according to the release. “At this point, miscreants have full access to the victim’s contact list until the current session expires or the user logs out. Crooks will either spam the contacts in the stolen lists (which may include friends, family, business contacts, and professors) or use these contacts to send spam e-mails and/or malware in the name of the crook.”

The company advises users to take the usual precautions: sign out when you’re done reading or writing e-mails, only click trustworthy links and keep up with antivirus updates and patches.

Suggested articles

Discussion

  • Getachew Tefera on

    My yahoo email address and pass word was hacked a week before and I can not access it. It is true that false information is distributed by these hackers. Yahoo should take measures to retrive the emails these hackers took. Hackers should know no one will send the money they require if not they became happy with others by making them loosers.

  • causes of baldness on

    Very great post. I just stumbled upon your weblog and wished to say that I've truly enjoyed browsing your weblog posts. In any case I'll be subscribing for your feed and I'm hoping you write again soon!
  • brandonkatin9 on

    hi there

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.