No subject


Thu Feb 21 15:38:05 EST 2013 

I wrote:

"My understanding is Yahoo had a problem that can be exploited by
spammers. If your email account is 'open'- ie you are logged in - a
malicious site can sent mail to everyone in your address book. I do not
know if your address book can also be downloaded by the spam site and used
forever."

Chris Wrote:

It's very much worse than that, I'm afraid.

The problem is what's known as a "cross-site scripting" or XSS vulnerability
in which a malicious website (probably the ones in those links delivered in
the spam) is able to retrieve a Yahoo!-set "cookie" from your web browser.
Once the spammer has that, it can be used to start a session with Yahoo!
masquerading as your id, simply by supplying your cookie  when the session
starts. At that point, they _are_ you (as far as Yahoo! are concerned) and
have full access to your Yahoo! mail and contacts/history file which are
then used to send spam.

Yahoo! claim to have fixed this in January, but it doesn't look like a full
solution to the problem, as the spammers appear to have found another
route into the system.

A few security suggestions:

1) DON'T click on links in emails that you get from unknown sources, nor
     on ones from "friends" that appear unusual in content or formatting.

2) Always log out of Yahoo, eBay, etc. when you have finished with them,
     just clicking on a shortcut or saved bookmark to go somewhere else
     is likely to leave their authentication cookie in your browser cache.

3) Change your password regularly and do not use anything that is
     either obvious or easily-guessed.

4) Do NOT use the same userid (where possible) or (especially) password
     on multiple sites, if one password is compromised it will be
automatically be tried out on other sites.

5) Clear your web browser cache regularly to remove unwanted cookies.

6) If you can run an anti-snooping program (I use Ghostery on the Mac),
      you will be positively _amazed_ at the amount of tracking bugs (1x1
      pixel transparent .gif files - invisible to the naked eye) that
websites contain for "market research" (cough) purposes.

------------

I hope this helps.

-John

=======================

More information about the ARC5 mailing list