Yahoo warning users of forged cookie account attacks

Yahoo warning users of forged cookie account attacks

Yahoo has begun warning users that their accounts have been accessed by a third party using a cookie vulnerability it disclosed and repaired in December last year.

Yahoo has once again begun warning users of unauthorised activity on their accounts, this time linked back to a cookie vulnerability exploited throughout 2015 and 2016.

Yahoo, once the darling of the internet, has been having a tough time of late. In September 2016, the company revealed a data breach which covered 500 million user accounts, which was quickly followed by claims regarding an insecure backdoor implanted for US spy agencies and that it had known of the breach for two years before warning customers. In December last year, the company revealed another breach covering over one billion user accounts, and now it's at it again with the warning that accounts may have been accessed by unauthorised parties throughout 2015 and 2016.

'Our outside forensic experts have been investigating the creation of forged cookies that could allow an intruder to access users' accounts without a password,' Yahoo explained in an email sent to selected customers this week. 'Based on the ongoing investigation, we believe a forged cookie may have been used in 2015 or 2016 to access your account.'

The cookie forging issue was disclosed by the company late last year when it claimed that the source code for its security cookie generation engine had been taken and abused. 'With respect to the cookie forging activity,' the company said in a December statement, 'we invalidated the forged cookies and hardened our systems to secure them against similar attacks.'

While the latest breaches are claimed to have occurred prior to the system-hardening and cookie-invalidations of December 2016, it's not clear why users have begun receiving warnings of illegitimate account activity in February 2017. Yahoo, for its part, has failed to clarify whether these abuses have been discovered as part of a new and more in-depth investigation or if it has taken a full two months to begin warning customers that their accounts were compromised. Yahoo has also been silent on exactly how many of its customers were affected by the attack, which it has vocally blamed on an allegedly 'state-sponsored actor.'

1 Comment

Discuss in the forums Reply
leexgx 21st February 2017, 13:53 Quote
This was an obvious problem around that time that Yahoo decided to ignore

at least 5 people I know and delt with had there account accessed in this way, they would login to your account without password scan all emails and contacts for addresses and then send spam email to each one and you would only know it has happened when you get the mail delivery fail messages and when yahoo had a login history page you could see it from there one from the yahoo mail app then website access

Changing the password or even 2fa enabled did not prevent them from doing it again 2-3 more times
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.

Discuss in the forums