26 April 2007

Huge Yahoo Mail Security Problem

Today, for the first time in about 10 years since I am online, I almost got phished.

What happened was, while checking my yahoo mail, I got a message in my inbox (as opposed to the Bulk folder). So, as any other person would do, I opened it.
It was a message in Romanian, along the lines: "Hey, how are you, long time no see".
It was kind of strange, because I didn't know that person, but since there was no advertising or anything I figgured that maybe it's some old friend I forgot about, so I copied the address and pasted it to the Search box, to determine if I had previous messages from this person.

At that moment, I got redirected to the Yahoo log in page (or so I thought).
The URL was: http://us.f237.mail.ymauth.com/login_verify/?Y=someid

Now, that didn's look suspicious for the following reasons:
1. It looked like the Yahoo log in page.
2. My session was about to expire.
3. It had my username there (so I guess the phisher had unique IDs for each username he sent the phising to)
4. I didn't click on any e-mail links (I thought that I must have accidentally perform some Opera gesture like the back button, and my session just expired).

So I innocently typed my password, then Opera asked me if I want to save it...
Oops. Not good at all. I immediately closed the browser, hoping that the password is sent only after telling Opera whether to remember it or not. Then just in case, I quickly changed my password and forwarded the e-mail to the Yahoo abuse team.

Now, I admit I had some fault in this too, I should have looked at URL location as well. However, I think the biggest problem is with Yahoo, by not doing a proper sanity check of the e-mail (for example, anything that changes the URL without the user's permission should not be allowed).

I was lucky this time, but many others might not be so lucky.
And since a lot of people have all kind of passwords associated with their Yahoo accounts, prepare for a new wave of internet fraud (especially eBay and PayPal).

P.S. Here is the content of the e-mail: http://&/#x77;ww.custodia.it/images/custodia2/us/?id=removed&val=open&cookie=

I tried some online URL decoders but couldn't decode it properly, and I am too lazy to decode the whole thing manually.


Blogger Phil said...

Wow, that's crazy that a search would redirect you like that. I'm glad I use Gmail.

I use Opera, but I have wand disabled because I use KeePass as my password manager; so I would probably have fell for it. What annoys me about Opera sometimes though is when it doesn't work on some pages such as this one that I am using to post this comment. I can't get opera to post it so I am trying again in IE.

26/4/07 22:31  
Blogger Radu said...

No, actually I got redirected before I pressed the search button. But I thought I just pressed enter or did a mouse gesture or something.

What version of Opera are you using? I am using 9.20 and works great with posting comments.

26/4/07 23:35  

Post a Comment

<< Home