Popular webmail providers like Yahoo, Google, etc recently confirmed that a large number of their users' account names and passwords have been made available on the Internet. At the same time, Bkis got lots of complaints about spam emails originated from real email addresses. Judging there might be a security hole, we decided to investigate the problem on Yahoo's services.
A user needs just one Yahoo! ID to use Yahoo's different services, such as Yahoo Messager, Yahoo Mail, Yahoo Calendar, Yahoo Group, Yahoo 360 plus, etc. To ensure the independence among the services, Yahoo implements APIs, which enable the application programs or services to gain necessary information when processing. For instance, by sending the online checking request to http://opi.yahoo.com/online?u=[account]&m=t , a program may find out whether an account is online or not through the returned information.
[account] is NOT ONLINE
Yahoo users use a common login interface page to sign in to Yahoo different services.
Figure 1: Yahoo login interface page
The login interface page is built in a way that prevents Brute force attacks with the checking mechanism of the number of incorrect logins. Accordingly, if users unsuccessfully log in to the system a successive number of times, the system will warn and require users to fill in the authentication information.
Figure 2: Warning of invalid login credentials and demand for authentication
Additionally, the warning does not state clearly which part of the login credentials, the username or the password, is incorrect.
Specifically, when a user tries to log in to the system, his browser will send a request under the following form to the server:
POST /config/login? HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:184.108.40.206) Gecko/2009101601 Firefox/3.0.15 (.NET CLR 3.5.30729)
Accept: text text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Cookie: B=4jm3qlp5d58u3&b=4&d=O130OmxpYEGlIZP1YCbDzSTPktg-&s=f6&i=oA8AifqduP1j..zoKIjA; F=a=TYdAO04MvTLKDFRF6qigU15.SbNMKCHfWLkAgqc9Z4tfEo1jWCkmbkJsbfI7kj2oFAJCUkpmArDdIxsOvO6Dxzx7vA--&b=BSAU; YLS=v=1&p=0&n=0; U=mt=l.idZZ2MhYnqT.OMUmZv.oKxh_Zgndd.3dI41zbZ&ux=Vkm6KB&un=d67bv68g9ld8r; BA=t=1257385349; Y=v=1&n=4hu7753hahuam&p=; RT=s=1257385453007&u=&r=http%3A//vn.mc767.mail.yahoo.com/mc/welcome%3F.gx%3D0%26.tm%3D1257385301%26.rand%3D9p5f9pabnhspm
- login bears the username and
- password is the user's access password.
- tries indicates the number of unsuccessful logins,
The server, on receiving the request, will utilize an API named config/isp_verify_user to identify the accuracy of the username and password. If the information carried by the request is correct, the user then has access to Yahoo's services. On the contrary, basing on .tries variable, the server notifies the user and requires another account's authorization.
Nevertheless, there's a weakness in this user authentication mechanism of Yahoo that can be bypassed by bad guys. In that, Brute force attacks will not be performed on the login interface page that Yahoo provides. Instead, hackers will directly send requests to config/isp_verify_user. From the returned values, the hackers can identify the exact usernames and passwords.
For example, when the request sent to config/isp_verify_user is as followed:
http://..../config/isp_verify_user?cookies=1&l=[username]&p=[password], the information the hackers get back will be:
| ERROR:210:Required fields missing (expected l,p) || Inadequate entered information |
| ERROR:102:Invalid Login || No existence of the account on the system |
| ERROR:101:Invalid Password || Inaccurate password |
| OK:0:username || Successful login |
We can see that by sending direct requests, hackers can avoid the limitation of unsuccessful logins. This creates a favorable condition for hackers to write programs that are able to automatically send requests, check the returned values and get the users' information.
Besides, with Yahoo, easy-to-guest passwords like “123456”, “123456789”, “abcdef” … are totally acceptable. In reality, many users use simple passwords for their email accounts. This helps hackers have more effective efforts with their attacks.
The gained usernames and passwords will then be used for malicious purposes. Hackers might use these accounts to send spams. The spams, for being sent from authenticate accounts, have high possibility to bypass Yahoo's anti-spam system. Moreover, under the name of real users, hackers can carry out transactions with other people through the accounts they harvested. They can also use confidential information of users for bad purposes.
Yahoo hasn't released any solution to this problem yet. Bkis, hence, recommends that users of Yahoo's services use strong passwords to minimize the chances that hackers find out your passwords through normal methods. Strong passwords have at least 8 characters and contain uppercase letters, lowercase letters and numeric characters. You can check the strength of your passwords here.
Analyst: Truong Thao Nguyen