Brute-force Attacks Target Two-year Hole In Yahoo! Mail

[Peaches]

Brute-force attacks target two-year hole in Yahoo! Mail

By Dan Goodin

Scammers are exploiting a two-year-old security hole in Yahoo's network that gives them unlimited opportunities to guess login credentials for Yahoo Mail accounts, a researcher said.

The vulnerability resides in a web application that automates the process of logging in to the widely used webmail service. Because it fails to carry out a variety of security checks followed by the login page Yahoo! Mail users typically use, it's providing criminals with a backdoor through which user accounts can be breached, said Ryan Barnett, director of application security research at Breach Security.

"If the front gate of your castle is your login page to Yahoo Mail, they've done a good job of securing it," he told The Register. The web application amounts to "some sort of water tunnel that the bad guys are walking right through."

Over the past seven weeks, a sensor deployed by WASC, or the Web Application Security Consortium, has detected "a few thousand" or more attempts to use the unprotected web application to carry out brute-force attacks on user passwords, Barnett said. Because the sensor is installed on just one of a massive number of open proxies, the honeypot is likely detecting only a small fraction of the overall activity, he added.

Full story – the Register http://www.theregister.co.uk/2009/09/18/on...o_mail_attacks/