Yahoo Mail's main login page utilizes a number of security mechanisms to protect against brute force attacks -- when crooks try every possible combination of username/password until they can break in -- including providing a generic "error" page that does not reveal whether it was the username or password that the user got wrong. Also, Yahoo tracks the number of failed login attempts and requires that users solve a CAPTCHA if they have exceeded a certain number of incorrect tries.
But attackers have found a web service application used to authenticate Yahoo users that does not contain the same security mechanisms against brute force attacks, Ryan Barnett, director of application security research at Breach Security, told SCMagazineUS.com on Monday. Attackers are using this application to obtain actual user credentials.
Barnett said he is not sure what the application is intended for, but based on its name -- /config/isp_verify_user -- it looks to be a web application programming interface (API) used to authenticate ISP business partners of Yahoo, Barnett said.
What is clear is that the application is giving detailed error messages when someone enters the wrong username and password, noting which was incorrect. Also, it does not utilize any CAPTCHA on the error page, enabling attackers to guess an unlimited number of times until they come up with the right credentials.“Because they are not doing any CAPTCHAS in the error message, the bad guys can hammer this all day long,” Barnett said.
Abuse of the application is “widespread,” Barnett said. Based on data retrieved from the nonprofit security standards organization Web Application Security Consortium's (WASC) Distributed Open Proxy Honeypot Project (DOPHP), which logs the traffic on an open proxy that is often used for cybercrime, the application has been used thousands of times since the end of July.
What's more, data retrieved from the DOPHP likely only represents a portion of the actual attack volume, since it only logs the traffic on one proxy, and cybercriminals usually distribute their criminal activities across multiple proxies, Barnett said.
In 2007, Barnett notified Yahoo about a similar web service that was being used by attackers to circumvent security mechanisms on the legitimate Yahoo mail login page.
A Yahoo spokesperson did not respond to a request for comment on Monday.“End-users shouldn't be going to this application,” Barnett said. “They [Yahoo] are implementing the proper remediations on the front door; so force them to go to the front door.”