Cyber criminals exploiting a several year old vulnerability in Yahoo’s mail network that allows for unlimited attempts to guess passwords. The result could be that your Yahoo Mail account could get hacked 🙁
A web application that automates the login process to e-mail service Yahoo Mail turns out to have no protection against brute-force attacks, which opened for systematic attacks where there is only a matter of time before the accounts are hacked according to Ryan Barnett, director of research at Breach Security, which examined how the application responds to calls.
The attacks are made possible via Yahoo’s web application via its text-based application interfaces (APIs) since the API is returning the full reason for the failed login. The most common way to not disclose if it was the password or the login name that failed authentication is to just use the message “Wrong username or password”, but Yahoo is telling the applications the full reason. Yahoo’s API returned straight to the point whether it was password or username set incorrectly, said Barnett.
In the web front users have to enter a CAPTCHA code for failed logins, but that’s not needed via the API. So anyone abusing the API gets unlimited chances to guess the passwords.
According to Barnett, who last week blogged in detail about this, the vulnerability existed in at least two years. He informed Yahoo about the problem in 2007, but as recently as last Friday remained the vulnerability, said he told The Register. Yahoo has also responded that it takes online security very seriously and looking into the matter with the intention to take appropriate action.