Gerry Morley - Cyber Security & Disaster Recovery Consultant No Comments

Yahoo Hackers prove they don’t need your online passwords as they can forge your browser cookies to access your online data.

Cookies in cookie jar

Yahoo in December 2016 quietly revealed to its users, in the form of a security update, that their user accounts may have been compromised as recently as last year, after an ongoing cyber security investigation found evidence that hackers managed to create forged cookies to gain access to Yahoo user accounts.

What are Cookies used for?

Remember that box that says “Keep me signed in” or “Remember My Login” when you log into services like Gmail, Amazon, Yahoo. Well that action modifies a small text file on your computer called a cookie. When you visit the same website again, the website checks the relevant cookie file on your PC first to see if it contains the data which indicates you ticked the boxed “Keep me signed in”  so you don’t have to type your password to log in again. Websites and Advertisers also use cookies to serve up personalised webpages to you based on your online activity.

How Hackers Can Use Cookies to Access Your Data

Instead of stealing passwords, hackers trick a web browser into telling the company that the victim had already logged in by forging little web browser tokens called cookies. So, even if you close the window, or shutdown your system, you will not have to log back into your account because the cookie stored by your browser tells the online service that you already submitted your username and password.

“Forged cookies” are the digital keys that allow access to accounts without re-entering passwords.

In the case of Yahoo – it appears that internal company software (used to generate cookies) was stolen by hackers, which they used to create forged cookies that trick Yahoo into thinking its user accounts are already logged in. And that’s how the cookie crumbled….

The total number of customers affected by this attack is still unknown, though the company has confirmed that the accounts were affected by a security flaw in Yahoo’s mail service. Allegations are abound since October last year that Yahoo knowingly allowed the illegal scanning of users emails to be undertaken covertly via code installed on it’s servers by USA government intelligence agencies. It is suggested that a secret court order was issued by the US government in the name of terrorism and Yahoo facilitated.

What can you do to protect yourself?

Well in this particular case – there is little you could do to prevent access to your Yahoo account. However for those who do not wish to have their cookies stolen by a future cleverly crafted attack,  then we recommend you go into your web browser settings and choose to bin/delete your cookies automatically when you close your internet browser. See here for more info on how to do that. Note deleting your cookies after you close the browser will most likely require you to re-sign into your online accounts again next time you browse to that site.

Tip of the Day: Bin those cookies – as good as they might initially seem – the effects of having them could impact you more than you think.

Original Source: http://thehackernews.com/2017/02/yahoo-hack.html