Saturday, June 8, 2013

Yahoo! Made Me a Jackass


This morning at 7:49am PST Yahoo! gave a spammer access to my account.

My account was not hacked and nobody has my password. Instead it was accessed via a "Yahoo! Partner's Application". Not one I actively authorized.
Yahoo! authorizes a broad array of internet based services, blogs, widgets and whatnots to access user accounts via tokens and credentials. They also drop copious cookies tied to your profile. Throw in an ever-growing bug-list and our accounts are fair game for the spammers. My password never played a role.

I never opted-in to open my account to any "Yahoo! Partner's Application". I'm very deliberate about my passwords and what systems I use. But I have a pretty good idea why it got added while I wasn't looking.  I also have a good idea why tens of millions of Yahoo! accounts remain vulnerable for months.

There's no such thing a free lunch. The free email providers have to make money somehow. For Yahoo! it's important that their users can range far and wide across their extended network of websites without being stopped at a login prompt.

The 800 pound gorilla in the room is that the vast majority of software has vulnerabilities which leave you at risk. This risk grows quickly as you access more systems. If an internet giant like Yahoo! decides to allow it's extended network to access your account the risk becomes a statistical certainty.

It isn't a priority for Yahoo!  that user accounts are vulnerable. It's a sad reality that it's only taken seriously when it becomes a PR problem. About 10 years back I brought a potentially devasting security bug to the attention of Yahoo and Microsoft IE engineering. I never got any followup- and a year later the bug had not been fixed.

About 100 spam messages went out from my account and now I look like a jackass. No spammer sat down and decided to relay spam via my account. No human targetted me specifically - I was just the next entry on a very long list. Maybe you are on tomorrow's list.

So the lesson here is to check your account security settings carefully and regularly for applications, credential sharing and networks that you've been opted into. Disable and remove everything you don't need or use. And remember that while most of the security recommendations these companies tell you are solid they are not going to discourage a feature that makes revenue for them even when it carries additional risk for you.

My sincere apologies to everyone who got spam from my account. This is the first time this has happened to me in 20 years of pushing these keys. I do computer security for a living so this stings me regardless of who is at fault. I should have been more diligent in checking my account settings for the creeping appearance of undesirable features.

I've reviewed the entire incident and removed all access rights to "Partner" applications (which I never enabled in the first place - thank you Yahoo!) and mobile access (which I don't use). I've also bounced the password a few times though that was not the issue here. This is pretty much all I can think of to do now.

I am going to work hard at finding new ways not to look like a jackass to those people who trust me with their email. Sorry.

-J



2 comments:

cleverlemming said...

I was a victim of the same exploit. A Yahoo! Partner's Application connected from Romania, and then the next login was a webmail login from the same country. What's most frustrating is that Yahoo is silent on these disasters, offering no help or advice.

http://www.telegraph.co.uk/finance/newsbysector/epic/btdota/10089355/BT-dumps-Yahoo-email-after-hacking-claims.html

John Roy said...

I think Yahoo! are on a downhill slide. As noted in my post they could stop 99% of these exploits by disabling non-yahoo access for users that don't use it.

BTW I'm guessing the login country reported by Yahoo! is not a good indicator of where the spammer was operating - most likely this is just the location of an infected computer relaying spam in a botnet.