If you have been reading my blog entries, you know that Yahoo, one of the first and largest dot coms, has been having a lot of security headaches over the past few years. Most recently you may remember that a breach originally reported to have exposed 500,000,000 user accounts was updated to twice that many, 1 billion user accounts.
Oddly enough, with all of the media coverage on this huge issue, another, more disconcerting issue was reported by Yahoo in December of 2016, largely flew under the RADAR.
This new issue had nothing to do with user names and passwords being compromised, but according to Yahoo, they “believe an unauthorized third-party accessed the Company’s proprietary code to learn how to forge certain cookies”. What does this mean? It means if your account was a victim of one of these “forged cookies”, the malicious parties didn’t need your user name or password to access your account. The new cookies allow them the access accounts without credentials.
According to Mohit Kumar, CEO of The Hacker News, “Yahoo began warning its customers just last month that some state-sponsored actors had accessed their Yahoo accounts by using the sophisticated cookie forging attack.”
He does go on to say, “However, the good news is that the forged cookies have since been “invalidated” by Yahoo so they cannot be used to access user accounts.”
Below is a link to the full article:
Yahoo Reveals 32 Million Accounts Were Hacked Using ‘Cookie Forging Attack’
While it is a great thing that the issues was discovered and the cookies were invalidated, there are still major questions and issues that linger for me. It might not seem like as big of an issue since it only affected 35 million users. However, what is most disconcerting to me is that an “unauthorized party” was able to access “proprietary code” from the company. That is usually the most protected asset of any company like Yahoo.
The other major issue is that the compromise completely circumvents normal authentication, i.e user names and passwords. This means that even if users changed their passwords or other security measures, it likely would have little impact on the malicious party’s ability to access the accounts.
What does this mean for you?
First, if you have one of the accounts that could have been compromised, you should have received an email from Yahoo regarding it in the last month. Follow the advice that they gave you, but I would also change every bit security with them that you can. This means, your password, your security questions, and even turning on any form of secondary authentication they have available. If you are more daring and can, I’d say close any affected Yahoo account you have and change services. Things are not looking good for Yahoo and they are about to be sold and split up anyway.
Second, as always, keep a close watch on all your security surrounding any online account access you have. Your email accounts, believe it or not, are just as important as your bank accounts. Why? Because, if your email is compromised, then a malicious party can issue password resets on your accounts and get into your email to complete them.
Honestly, as important as cyber security is in today’s world, and considering the size and penetration of Yahoo, I am seriously worried about anyone who uses them for anything now. Yahoo just can’t seem to get things together or protect anyone anymore. Perhaps that is unfair, but hey, 3 strikes and all.
As usual, I strongly encourage you all to keep a close watch on everything you do online from banking to email and from social media to online purchasing. Be careful out there and remember that Cyber Watchtower is here if you need us or our help with any of these issues, Yahoo or otherwise.