Yahoo Says Forged Cookie Attack Accessed About 32 Million Accounts (cnet.com)

← Back to Stories (view on slashdot.org)

Yahoo Says Forged Cookie Attack Accessed About 32 Million Accounts (cnet.com)

Posted by BeauHD on Wednesday March 1, 2017 @01:35PM from the gets-worse-before-it-gets-better dept.

It looks like Yahoo has yet to reach its lowest point. The company revealed today via a regulatory filing that about 32 million user accounts were accessed by hackers in the past two years using forged cookies that allowed them to log into their accounts without passwords. According to Yahoo, the attack is likely connected to the "same state-sponsored actor believed to be responsible for the 2014 [breach]," which resulted in the theft of user information from 500 million user accounts. CNET reports: "Based on the investigation, we believe an unauthorized third party accessed the company's proprietary code to learn how to forge certain cookies," Yahoo said in its annual filing to the Securities and Exchange Commission. The company went on to say that forged cookies have been invalidated to prevent further use on accounts. Yahoo revealed the attack in December but the news was largely overlooked because the company announced at the same time it had identified a separate security breach that took place in 2013 in which hackers stole information on 1 billion Yahoo accounts. Yahoo CEO Marissa Mayer also revealed today that she is giving yahoo employees her annual bonus to make up for the massive hacks.

30 comments

Min score:

Reason:

Sort:

Backdoor? by Anonymous Coward · 2017-03-01 13:40 · Score: 0

So Yahoo had a backdoor that allowed them to get into any account from anywhere? Session data should expire and if you're encrypting a password and putting that into a cookie you still need the password to do it, so this is a backdoor since you don't need the password to do it?
1. Re:Backdoor? by Anonymous Coward · 2017-03-01 14:10 · Score: 0
  
  So long as it is the normal implementation as a random hash that is dereferenced on the server, I can't imagine how anyone could forge a session cookie even if he or she could see the backend code. It strikes me that this is instead a breakdown in the "keep me logged in" functionality that the user can select when logging in. This always seems like asking for trouble. Too bad that people are lazy.
  Captcha: toasted
2. Re:Backdoor? by Anonymous Coward · 2017-03-01 14:26 · Score: 0
  
  So Yahoo had a backdoor that allowed them to get into any account from anywhere? Session data should expire and if you're encrypting a password and putting that into a cookie you still need the password to do it, so this is a backdoor since you don't need the password to do it?
  1) You should never EVER store a password in a cookie even if the cookie is encrypted. Use public/private key pairings instead with the public key in the cookie and the private on the server.
  
  2) There are several use cases where you should be able to login without having/knowing the password - helpdesk personnel emulating a user to troubleshoot issues, most single sign-on services, etc.
  
  3) If you compromise a server's private key which is used to encrypt the cookie, AND, can learn how to forge the cookie itself using a public/private API - doesn't matter if you have a timeout on the server or not - you can easily recreate/forge a new cookie and have the server trust the new cookie, resetting the timeout. Session data - meh, really don't need it if I have full access to your bank account.
  
  Fixing this isn't trivial, you'd likely have to rewrite/switch all Yahoo authentication services. I'm not defending them here, only commenting we haven't heard the last of how bad things really are with Yahoo.
COOOOKIE! by Anonymous Coward · 2017-03-01 13:42 · Score: 1

Om nom nom ...
I am safe! by DraconPern · 2017-03-01 13:42 · Score: 1

I know for sure I am safe, because I haven't logged in to Yahoo in a while...
1. Re:I am safe! by Aighearach · 2017-03-01 17:56 · Score: 2
  
  If an account is taken over and nobody ever tries to log in, does it make a sound?
what really concerns me is by Anonymous Coward · 2017-03-01 13:44 · Score: 0

that Yahoo! took so long to figure out this was happening...
1. Re:what really concerns me is by Narcocide · 2017-03-01 13:56 · Score: 1
  
  Oh please, they knew all along. They just never expected anyone else to figure it out. Do you really think "nation state" actors are the only ones smart enough to reverse-engineer a security system that relies on the user's own password being one-time encrypted into their own session cookie as a load-alleviation feature? That also includes site-wide admin accounts? Please. There's no way that the list of "third parties" doesn't include their own current and former engineers and management staff. By the way, this is how PSN got hacked too.
2. Re: what really concerns me is by Anonymous Coward · 2017-03-02 16:11 · Score: 0
  
  If only they stored session data in DNA hosted with Amazon ..
32 million by JustAnotherOldGuy · 2017-03-01 13:47 · Score: 2

32 million...to put that into perspective, that's more than the population of Texas, not quite as many as the population of California.
Or, put another way, that's about the combined populations of Illinois and Pennsylvania.
Way to go, Yahoo.

--
Just cruising through this digital world at 33 1/3 rpm...
1. Re:32 million by Anonymous Coward · 2017-03-01 13:59 · Score: 0
  
  Hhmmm. I don't do populations and I don't think many others do.
  Can I please have an answer in how many libraries-of-congress this is or even better, in a car analogy?
  Thanks,
2. Re: 32 million by Anonymous Coward · 2017-03-01 14:11 · Score: 0
  
  16 million pairs of overpaid tits.
3. Re:32 million by Anonymous Coward · 2017-03-01 14:18 · Score: 0
  
  Length of Chevy Bolt is roughly 4.16m.
  If you give 32 million people (that is, each Texan) a Chevy Bolt each, the total length can circle the earth 3.3 times.
4. Re:32 million by Anonymous Coward · 2017-03-01 14:23 · Score: 0
  
  Can I please have an answer in how many libraries-of-congress this is or even better, in a car analogy?
  Thanks,
  Sure. That's 32 million Libraries of Congress or almost the number of cars recalled for having Takata airbags.
$150K to prevent these sure looks cheap now by raymorris · 2017-03-01 13:54 · Score: 5, Interesting

These vulnerabilities were of course in Yahoo's major service, not some minor service few people used or thought about. In other words, Yahoo mail is probably the number one thing Yahoo should have been thinking about when it comes to security. It also appears likely that these vulnerabilities were simple enough that a dedicated security professional reviewing their systems full time would or should have caught the mistakes, or at least mitigated the risks by pointing out that passwords weren't properly salted and hashed (for the 1 billion hack). It really looks like they could have prevented these by hiring one good security professional; and somebody working remote would have cost them $150K/year, someone in California maybe $300K.
So essentially they chose to lose $350 million in value rather than prevent the losses by spending $150K-$300K on a competent security person.
1. Re:$150K to prevent these sure looks cheap now by Anonymous Coward · 2017-03-01 16:24 · Score: 0
  
  They probably hired someone for $400k who had no idea what he was doing.
2. Re:$150K to prevent these sure looks cheap now by Aighearach · 2017-03-01 17:54 · Score: 1
  
  I'd log in and fix the security settings for my yahoo mail except... I would never give it out, and it hasn't received real mail in many years. They were like gmail, before gmail.
  The brand is dead, I don't see much chance of getting resources to fix it. Whatever value yahoo has is in other stuff than email.
3. Re:$150K to prevent these sure looks cheap now by Anonymous Coward · 2017-03-02 01:29 · Score: 0
  
  You are of course, making the assumption that Management would've listened to the Security Admin in the first place.....
4. Re:$150K to prevent these sure looks cheap now by Anonymous Coward · 2017-03-02 03:16 · Score: 0
  
  I deleted my account after the first breach. That was more than enough for me.
5. Re:$150K to prevent these sure looks cheap now by Bite+The+Pillow · 2017-03-02 11:31 · Score: 1
  
  No, they chose not to have a recurring cost year on year if $150k plus overhead, or roughly $300k. Plus a manager and likely a few coworkers, for maybe $1M per year.
  Would have been worth it still, but you are ignorant of exactly what would be involved. Hiring one guy for all of yahoo would hardly be effective.
  Add in third party teams providing support and access, and you have a huge cost center for no observable gain. Unless the CIO can sell the plan. And that's the CIO's job. Why don't we see that head rolling?
It's sad they consider 32M accounts broken into... by Anonymous Coward · 2017-03-01 13:57 · Score: 0

to be a nonissue. That just shows how bad their security is. They're almost as bad as Microsoft.
Re: It's sad they consider 32M accounts broken int by Anonymous Coward · 2017-03-01 14:02 · Score: 0

You're being too harsh. This isn't even close to as bad as Microsoft.
yahoo is still around? by Anonymous Coward · 2017-03-01 14:26 · Score: 0

I think I have an account or two, can't remember.
1. Re:yahoo is still around? by Anonymous Coward · 2017-03-01 21:56 · Score: 0
  
  I think I have an account or two, can't remember.
  Then you most probably don't, since they close account after like 6 months, and 'recycle' them after like 3 more months... Unless it was a really rare/unique identifier, it's most probably used by someone else now... Hopefully you didn't link any significant account to it, because it's probably lost (unless you want to waste a few hours with 'support'), if not penetrated (the new owner testing common websites for lulz, or the new owner getting a "we already have an account using this email address, if you lost your password, just click here to receive a new one!" when trying to register for real, or websites sending newsletters or "your email is in our files, but you didn't buy anything/watch ads from us in the past few months/years, please come back, and just click here if you forgot your password!" emails...).
  Well, even if it was a really rare/unique identifier, it might have been taken by phishers/spammers/resellers, if previously listed in some spam/phishing lists, or indexed by search engines...
  Because Yahoo! are clearly security and privacy pros...
This is what happens... by Anonymous Coward · 2017-03-01 14:36 · Score: 0

This is what happens when you run software designed to spy on people and then expect the agency to clean up the mess without a trace when they're done. If you've ever seen a search and seizure, it's no different in the tech world. Instead of clothes thrown everywhere, it's holes in security. Yahoo really fucked up with that. They should of said "no, get a warrant," or whatever legal procedures there are. I'm referring to this: http://reuters.com/article/idUSKCN1241YT. You know damn good and well this wasn't just "grep" being used on a Yahoo admin level. They tore shit up and left like agencies always do. Even for arguments sake, let's say the agency has suffisticated tech (they do; Prism) with very little fingerprint, you can't expect Yahoo to hold the same standards, especially with that many accounts. Data will break and cookies will leak. Do they not have SSL at Yahoo or did that not hold either?
Of course security got short shrift by Anonymous Coward · 2017-03-01 16:55 · Score: 0

For a struggling company, every ounce of effort goes to getting customers because if you don't succeed in that area the company dies anyway. Effort expended on security is not noticed by the customer unless some pesky security researcher comes by and makes a fuss about it.
Re:It's sad they consider 32M accounts broken into by Aighearach · 2017-03-01 17:55 · Score: 1

They're like 1990's Microsoft
How many active accounts? by Monoman · 2017-03-02 00:12 · Score: 1

I have one Yahoo account I still use for junk and 1 or 2 more that I don't use.

--
Keep the Classic Slashdot.
That would be Californians. Texans pickup trucks by raymorris · 2017-03-02 02:19 · Score: 1

> If you give 32 million people (that is, each Texan) a Chevy Bolt each
That would be Californians who a) drive tiny electric cars and b) expect someone to give them a car. Texans buy their own pickup trucks.
This level of stupid on their primary service by raymorris · 2017-03-02 13:28 · Score: 1

They *should* have had a good security team as you describe.
There is a reason I pointed out these are simple, obvious mistakes on their primary service - including not hashing passwords properly, and doing authentication cookies wrong. These are things we check for if a customer orders a $500 security assessment. (Which is basically Nessus + our own scripts + an hour of manual investigation). Problems of this level are the things one engineer should find in a cheap assessment that takes just a couple hours. One decent professional hired by Yahoo would probably find in their first week on the job.