Unpatched Wordpress Instance on Yahoo Blog Leads to Cookie Theft

A spam wave that has been circulating for roughly a month is stealing Yahoo login credentials by exploiting an old – yet unpatched – vulnerability in a component of the Yahoo Developers blog.

The spam message features a bit.ly shortened URL that takes the user to a web page impersonating the popular MSNBC page, but which turns out to be located on a series of subdomains on hxxp://com-im9.net.

Whois information for the domain reveals it was bought in Ukraine and hosted in a data center in Nicosia, Cyprus.

Once the user lands on the alleged MSNBC page, a piece of JavaScript code inside tries to exploit a known vulnerability (CVE-2012-3414) in the SWF Uploader component on the Yahoo Developers Blog, which is proudly powered by WordPress. We won’t get into the technical stuff, as the issue has not been fixed at the moment of writing.

Since the exploitable component is located on a sub-domain of the target website, the same-origin policy does not prevent the exploit code access to cookies, which are subsequently sent to the attacker. Once they have the log-in cookie, they can authenticate into the victim’s account and send spam or harvest contacts’ e-mail addresses for other spam campaigns. We believe this is the account recruitment stage of the operation and we expect the next wave of messages to feature links to malware.

Bitdefender is currently blocking access to the malicious pages used in the cookie-harvesting campaign. We have also notified Yahoo about the incident and provided the proof-of-concept documentation.

Attack description provided by malware researchers Răzvan Benchea and Octavian Minea.

UPDATED: We have confirmed that his attack does not work on Yahoo.co.jp. The .jp Developer blog seems to be powered by a different blogging platform, which is not vulnerable to the CVE we mentioned in the article, so the attackers won’t have what to bounce their code off of in order to execute code in the context of the Yahoo.co.jp site.

27 Responses to Unpatched WordPress Instance on Yahoo Blog Leads to Cookie Theft


  1. AK says:

    This is the third time my Yahoo account has been hacked in a 2 year period, and it seems to be getting worse. What makes this scary is it collects and sends spam to every email whom I had correspondence with in my inbox. This is the last straw, and I hope Yahoo goes bankrupt and burns in hell.

  2. Plinker says:

    22 Feb 2013 – It seems the situation is not fixed yet as friends received spurious email with either gibberish, blacklisted sights or possible viral sites two days ago.

  3. Dan says:

    My email was hacked and mail was sent out to my contact list. This was from my main email address but one that has never been used. This means they hacked into the Rogers or the Yahoo mail to find the address and probably entered though a back door. Please fix this hole without asking me to change my password as there are probably many more hacked into addresses and changing my password will not stop this type of attack.

    • smr says:

      Obviously we can’t really do anything about a vulnerability in Yahoo systems (except telling you about it. Sorry. However, it really is advisable to change your password.

  4. John says:

    Same problem happened here last night. Attacker was able to use yahoo mobile version to authenticate with stolen cookie and logged into my account from a totally different IP address from the country I’m in. Yahoo can easily add a IP detection routine to reduce this type of attack but guess they’re not that smart.

  5. Jen says:

    Not fixed. Have seen this happening in the last few days to multiple users

  6. Sheila says:

    Happened to me last night. It took the email addresses from my Sent folder and spit out an email to all those contacts. I happen to have an email in my Sent Folder which was addressed incorrectly (typo in the email id). When the hacker sent an email out to all my contacts in my Sent Folder, it picked up the typo email id as well. As a result, I received one of those “Failure Notice” from MAILER-DAEMON@yahoo emails. This clued me in. Guess I’ll always keep one of the incorrectly addressed emails in my Sent Folder.

  7. Ginny says:

    Both my Yahoo accounts were hacked into this week. Addresses were taken not only from I

  8. Ginny says:

    Both my Yahoo accounts were hacked into this week. Addresses were taken from Inbox, sent mail and all of my folders.
    Damage is already done….I’ve changed Passwords and secret questions and contacted Yahoo help (not very helpful)to report it. If I migrate all my files to Gmail, will I also migrate the problem??
    Thanks,
    Ginny

  9. Abe says:

    My Yahoo account was hacked on March 6th 2013. Spam was sent not only to contacts but email addresses in inbox/sent items.

    So Yahoo hasn’t fixed it at all!

    Yahoo doesn’t seem interested in getting hack reports either. I was simply auto- directed to a change password widget.

  10. Abe says:

    According to my Yahoo login information I was hacked from Indonesia with IP 139.194.11.32

    Someone go get them!

  11. Al says:

    My yahoo.ca (Canada)account was hacked on March 7, 2013. According to my login information i was hacked from Croatia. 2 emails sent to everybody with a link to click on. No message. Scary stuff.

  12. woz says:

    Ditto my UK accounts hacked on 6th and 19th March 2013.
    Make sure one of your contacts is you then you’ll know when you’re exploited.

  13. Plinker says:

    When my account was accessed around Feb 22 the IP showed Malaysia, The url enclosed with the email led to a download point for a virus. These guys also used info in the emails as well as my addressbook. I also found out from friends in the it business that recieved an email and from returned email notices. It is a good idea to have some invalid email address’s so that you get warned!
    It seems either Yahoo cannot stop these guys or is not interested in doing so. At least they should a press announcement out to warn people!

  14. Karen says:

    WOW! This is amazing news to me. My computers have been hacked so many times in the past three years and I never could figure out why. Now I know. I get dirty, filthy e-mails TO myself FROM myself and I guarantee I don’t send myself filthy e-mails. Friends and business associates have complained about me sending them filthy e-mail. I guess my only solution is to dump Yahoo as my primary location for e-mail consolidation as even BitDefender doesn’t seem to be able to protect it. I’ve written already about that issue. I’d no idea it was a known issue. NOW I’m REALLY furious at my ISP, AT&T, as their engine runs Yahoo (AT&T, SBC, and Yahoo are actually all the same and from my understanding, they are taking on yet another provider. Monopolies were made illegal in the U.S. way back in the 1980’s but apparently that law doesn’t apply to AT&T. LOL! I say that jokingly but it’s true. AT&T is busy purchasing cellular providers too and have found some loophole in the law that allows a monopoly.

    I’ve JUST finished asking BitDefender to recommend a different centralized e-mail organizer for ALL of my e-mail accounts. As most of you probably know, Hotmail changed their name to Outlook. I don’t have clue ONE why. But with Microsoft, it’s anyone’s guess what kind of sneaky thing they are up to now. Every time I turn around they are up to something else to make us all nuts! BitDefender and other programs work very well with the Outlook that’s included in professional versions of MS Office BUT that program is on one’s hard drive and if one has multiple computers (like I do… I had SIX at one point plus a smart phone and ALL of them had different versions of Outlook so I stopped using it. I couldn’t keep up with running from computer to computer to read and delete e-mails all the time.

    Does anyone out there have a suggestion for a centralized online e-mail that accomodates what used to be “Hotmail” as well as one’s ISP e-mails (example: mine is AT&T but the address is SBCGLOBAL.net but it’s really AT&T, which is really yahoo. YIPES!). I tried Thunderbird as I used to LOVE FoxFire and other Mozilla programs (until Foxfire changed way back after version 3.6). The newest, FF 15 stalls all the time and I can’t stand ANYTHING Microsoft anymore. I’m STUCK with Hotmail/Outlook (I wonder why they changed the name of it?) because I’ve had that same address since 1995. I use Apple’s Safari browser now. It never crashes like I.E. does and sadly, Foxfire does now too. Safari is GREAT. What integrated e-mail would YOU, my BTD friends, advise based on your experience???? Thanks! Karen

  15. Chris says:

    This is still happening with yahoo accounts.

  16. Grengus says:

    Yahoo account got compromised a few days ago. What the f ck is “nukegets . info” (SPAM URL sent to my contacts)??

Leave a Reply

Your email address will not be published. Required fields are marked *