LinkBack URL
About LinkBacksSome accounts may have been accessed with forged cookies as recently as 2016.
Yahoo has sent out another round of notifications to users, warning some that their accounts may have been breached as recently as last year. The accounts were affected by a flaw in Yahoo's mail service that allowed an attacker—most likely a "state actor," according to Yahoo—to use a forged "cookie" created by software stolen from within Yahoo's internal systems to gain access to user accounts without a password.
Yahoo informed some users in e-mails this week that "Based on the ongoing investigation, we believe a forged cookie may have been used in 2015 or 2016 to access your account." The messages are regarding possible breaches using the cookie vulnerability in 2014.
The Associated Press' Raphael Satter reports that a Yahoo spokesperson acknowledged the company was notifying users of the potential breach of their accounts, but would not disclose how many users were affected.
One recipient of the alert, Joshua Plotkin of the University of Pennsylvania's Plotkin Research Group in Mathematical Biology, posted a screen shot of the message to Twitter:
The vulnerability itself is not a new revelation. Yahoo previously announced the cookie-based attack quietly in an SEC filing in October 2016. "Forged cookies could allow an intruder to access users’ accounts without a password," Yahoo explained in a security notice originally posted on December 14, 2016. "Based on an ongoing Yahoo investigation, we believe an unauthorized third party accessed our proprietary code to learn how to forge cookies."Joshua B. Plotkin @jplotkin
Hopefully the cookie was forged by a state known for such delicacies. #yahoo #security #baking
2:51 PM - 15 Feb 2017
https://twitter.com/jplotkin/status/...rc=twsrc%5Etfw
The user notifications come as negotiations for Yahoo's acquisition by Verizon are nearing a close. According to a Bloomberg report, the series of security woes uncovered during the acquisition process have resulted in Verizon negotiating down Yahoo's $4.8 billion pricetag by $250 million.
Torrent Invites! Buy, Trade, Sell Or Find Free Invites, For EVERY Private Tracker! HDBits.org, BTN, PTP, MTV, Empornium, Orpheus, Bibliotik, RED, IPT, TL, PHD etc!
Results 1 to 1 of 1
Threaded View
-
02-16-2017 #1Extreme User
- Reputation Points
- 111729
- Reputation Power
- 100
- Join Date
- Mar 2014
- Posts
- 3,445
- Time Online
- 252 d 12 h 22 m
- Avg. Time Online
- 1 h 29 m
- Mentioned
- 304 Post(s)
- Quoted
- 52 Post(s)
- Liked
- 4865 times
- Feedbacks
- 46 (100%)
Yahoo reveals more breachiness to users victimized by forged cookies
Reply With Quote
