Rampant brute-force attack against Yahoo Mail

Share this article:
A widespread brute-force attack against Yahoo email users aims to obtain login credentials and then use the hijacked accounts for spamming, a researcher at Breach Security disclosed last week.

Yahoo Mail's main login page utilizes a number of security mechanisms to protect against brute force attacks -- when crooks try every possible combination of username/password until they can break in -- including providing a generic "error" page that does not reveal whether it was the username or password that the user got wrong. Also, Yahoo tracks the number of failed login attempts and requires that users solve a CAPTCHA if they have exceeded a certain number of incorrect tries.

But attackers have found a web service application used to authenticate Yahoo users that does not contain the same security mechanisms against brute force attacks, Ryan Barnett, director of application security research at Breach Security, told SCMagazineUS.com on Monday. Attackers are using this application to obtain actual user credentials.

Barnett said he is not sure what the application is intended for, but based on its name -- /config/isp_verify_user -- it looks to be a web application programming interface (API) used to authenticate ISP business partners of Yahoo, Barnett said.

What is clear is that the application is giving detailed error messages when someone enters the wrong username and password, noting which was incorrect. Also, it does not utilize any CAPTCHA on the error page, enabling attackers to guess an unlimited number of times until they come up with the right credentials.

“Because they are not doing any CAPTCHAS in the error message, the bad guys can hammer this all day long,” Barnett said.

Abuse of the application is “widespread,” Barnett said. Based on data retrieved from the nonprofit security standards organization Web Application Security Consortium's (WASC) Distributed Open Proxy Honeypot Project (DOPHP), which logs the traffic on an open proxy that is often used for cybercrime, the application has been used thousands of times since the end of July.

What's more, data retrieved from the DOPHP likely only represents a portion of the actual attack volume, since it only logs the traffic on one proxy, and cybercriminals usually distribute their criminal activities across multiple proxies, Barnett said.

In 2007, Barnett notified Yahoo about a similar web service that was being used by attackers to circumvent security mechanisms on the legitimate Yahoo mail login page.

A Yahoo spokesperson did not respond to a request for comment on Monday.

“End-users shouldn't be going to this application,” Barnett said. “They [Yahoo] are implementing the proper remediations on the front door; so force them to go to the front door.”

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters


More in News

Millenials improve security habits, more interested in cyber careers, still need guidance

Millenials improve security habits, more interested in cyber ...

Raytheon's second annual survey on the online and security behavior of Millennials shows improvement but still a long way to go.

Pakistani man indicted over spyware app creation

Hammad Akbar created StealthGenie, which allowed the purchaser to secretly monitor a cell phone's communications.

FDA finalizes guidelines on medical device, patient data security

The recommendations are aimed at providing better protecting patient health and data, as well as hoping device manufacturers take into account cybersecurity risks in the early stages of development.