Amid much confusion over the source of the YahooXtra hacking
debacle, an IT expert has released a ''plain English''
explanation describing what really happened, warning users
never to use the ''remember me'' password check box when
Institute of IT Professionals New Zealand chief executive
Paul Matthews wrote the backgrounder, complete with advice on
how to protect your email from future hacking attempts.
He first points out that the problems lie largely with Yahoo,
to whom Telecom outsourced its email service to back in 2007.
Yahoo has been playing a game of ''cat and mouse'' with
hackers since November last year, Matthews writes, when a
hacker going by the name of The Hell discovered a major
vulnerability on Yahoo's servers and sold it on a ''black
hat'', or malicious hackers', security forum for $700.
The vulnerability apparently came about because Yahoo failed
to keep its blog software up to date - a widely recognised
security hole on the Yahoo sub-domain, developer.yahoo.com,
which had been around for almost nine months.
Because developer.yahoo.com is a sub-domain of yahoo.com,
cookies - the small files that remember who you are on a
website - are accessible to that site. The security hole
allowed the hackers to plant a script on the developer site
that could read the Yahoo login cookie from any browser,
anywhere, which would then be sent ''home'' to the hacker, Mr
With access to those details, full control meant the victim's
Yahoo - and YahooXtra - email accounts were at their mercy.
All a customer had to do to be vulnerable was log in to Yahoo
or YahooXtra in the past year and tick the ''remember me''
password box. It made no difference if the account hadn't
been used in months.
To reproduce the attack, the hackers needed users to visit a
webpage that had the XSS attack code on it - hence the links
in the email.
Telecom initially blamed the ensuing spam attack on a
phishing attempt, but later admitted that the Yahoo email
service had been hacked.
Mr Matthews writes that this was not a phishing attempt
because it wasn't designed to trick you into giving out any
Rather it took users to a webpage that used the vulnerability
on the Yahoo Developers Network to lift their cookie
information, gaining access to the webmail account.
Once the hackers had access to the account, a script was used
to send out an email to everyone in its address book, telling
them to look at the link.
And we all know what happened then.
Even Telecom chief executive Simon Moutter fell victim to the
attack when he opened an email and clicked on the link.
Telecom advised victims to change their password, but
feedback from users has indicated that this didn't fix the
''Contrary to reports, changing your password really isn't
going to help in this case [although it may have killed the
cookie depending on Yahoo's setup] and updating virus
protection wouldn't help either. Although it's still a good
idea, of course,'' Mr Matthews said.
• Never use the ''remember me'' password checkbox on webmail,
no matter how inconvenient it is to log in every time.
• Always log out, as closing the browser window won't
suffice. Once logged out the session is ''dead'' and the
account cannot be accessed.