Yahoo warning users of forged cookie account attacks

February 17, 2017 // 11:51 a.m.

Tags: #breach #cookie #cookie-forgery #data-breach #insecurity #security #yahoo

Yahoo has once again begun warning users of unauthorised activity on their accounts, this time linked back to a cookie vulnerability exploited throughout 2015 and 2016.

Yahoo, once the darling of the internet, has been having a tough time of late. In September 2016, the company revealed a data breach which covered 500 million user accounts, which was quickly followed by claims regarding an insecure backdoor implanted for US spy agencies and that it had known of the breach for two years before warning customers. In December last year, the company revealed another breach covering over one billion user accounts, and now it's at it again with the warning that accounts may have been accessed by unauthorised parties throughout 2015 and 2016.

'Our outside forensic experts have been investigating the creation of forged cookies that could allow an intruder to access users' accounts without a password,' Yahoo explained in an email sent to selected customers this week. 'Based on the ongoing investigation, we believe a forged cookie may have been used in 2015 or 2016 to access your account.'

The cookie forging issue was disclosed by the company late last year when it claimed that the source code for its security cookie generation engine had been taken and abused. 'With respect to the cookie forging activity,' the company said in a December statement, 'we invalidated the forged cookies and hardened our systems to secure them against similar attacks.'

While the latest breaches are claimed to have occurred prior to the system-hardening and cookie-invalidations of December 2016, it's not clear why users have begun receiving warnings of illegitimate account activity in February 2017. Yahoo, for its part, has failed to clarify whether these abuses have been discovered as part of a new and more in-depth investigation or if it has taken a full two months to begin warning customers that their accounts were compromised. Yahoo has also been silent on exactly how many of its customers were affected by the attack, which it has vocally blamed on an allegedly 'state-sponsored actor.'

WEEK IN REVIEW

TOP STORIES

SUGGESTED FOR YOU