YahooXtra hacking debacle explained in 'plain English'

Amid much confusion over the source of the YahooXtra hacking debacle, an IT expert has released a ''plain English'' explanation describing what really happened, warning users never to use the ''remember me'' password check box when logging in.

Institute of IT Professionals New Zealand chief executive Paul Matthews wrote the backgrounder, complete with advice on how to protect your email from future hacking attempts.

He first points out that the problems lie largely with Yahoo, to whom Telecom outsourced its email service to back in 2007.

Yahoo has been playing a game of ''cat and mouse'' with hackers since November last year, Matthews writes, when a hacker going by the name of The Hell discovered a major vulnerability on Yahoo's servers and sold it on a ''black hat'', or malicious hackers', security forum for $700.

The vulnerability apparently came about because Yahoo failed to keep its blog software up to date - a widely recognised security hole on the Yahoo sub-domain,, which had been around for almost nine months.

Because is a sub-domain of, cookies - the small files that remember who you are on a website - are accessible to that site. The security hole allowed the hackers to plant a script on the developer site that could read the Yahoo login cookie from any browser, anywhere, which would then be sent ''home'' to the hacker, Mr Matthews says.

With access to those details, full control meant the victim's Yahoo - and YahooXtra - email accounts were at their mercy. All a customer had to do to be vulnerable was log in to Yahoo or YahooXtra in the past year and tick the ''remember me'' password box. It made no difference if the account hadn't been used in months.

To reproduce the attack, the hackers needed users to visit a webpage that had the XSS attack code on it - hence the links in the email.

Telecom initially blamed the ensuing spam attack on a phishing attempt, but later admitted that the Yahoo email service had been hacked.

Mr Matthews writes that this was not a phishing attempt because it wasn't designed to trick you into giving out any personal details.

Rather it took users to a webpage that used the vulnerability on the Yahoo Developers Network to lift their cookie information, gaining access to the webmail account.

Once the hackers had access to the account, a script was used to send out an email to everyone in its address book, telling them to look at the link.

And we all know what happened then.

Even Telecom chief executive Simon Moutter fell victim to the attack when he opened an email and clicked on the link.

Telecom advised victims to change their password, but feedback from users has indicated that this didn't fix the problem.

''Contrary to reports, changing your password really isn't going to help in this case [although it may have killed the cookie depending on Yahoo's setup] and updating virus protection wouldn't help either. Although it's still a good idea, of course,'' Mr Matthews said.

Avoiding spam
• Never use the ''remember me'' password checkbox on webmail, no matter how inconvenient it is to log in every time.
• Always log out, as closing the browser window won't suffice. Once logged out the session is ''dead'' and the account cannot be accessed.


Add a Comment