Biz & IT —

Yahoo reveals more breachiness to users victimized by forged cookies [Updated]

Some accounts may have been accessed with forged cookies as recently as 2016.

Yahoo reveals more breachiness to users victimized by forged cookies [Updated]

Yahoo has sent out another round of notifications to users, warning some that their accounts may have been breached as recently as last year. The accounts were affected by a flaw in Yahoo's mail service that allowed an attacker—most likely a "state actor," according to Yahoo—to use a forged "cookie" created by software stolen from within Yahoo's internal systems to gain access to user accounts without a password.

Yahoo informed some users in e-mails this week that "Based on the ongoing investigation, we believe a forged cookie may have been used in 2015 or 2016 to access your account." The messages are regarding possible breaches using the cookie vulnerability in 2014.

The Associated Press' Raphael Satter reports that a Yahoo spokesperson acknowledged the company was notifying users of the potential breach of their accounts, but would not disclose how many users were affected.

One recipient of the alert, Joshua Plotkin of the University of Pennsylvania's Plotkin Research Group in Mathematical Biology, posted a screen shot of the message to Twitter:

The vulnerability itself is not a new revelation. Yahoo previously announced the cookie-based attack quietly in an SEC filing in October 2016. "Forged cookies could allow an intruder to access users’ accounts without a password," Yahoo explained in a security notice originally posted on December 14, 2016. "Based on an ongoing Yahoo investigation, we believe an unauthorized third party accessed our proprietary code to learn how to forge cookies."

The user notifications come as negotiations for Yahoo's acquisition by Verizon are nearing a close. According to a Bloomberg report, the series of security woes uncovered during the acquisition process has resulted in Verizon negotiating down Yahoo's $4.8 billion price tag by $250 million.

 

Update, 10:00 am February 16: A Yahoo spokesperson told Ars this morning:

"As we have previously disclosed, our outside forensic experts have been investigating the creation of forged cookies that could have enabled an intruder to access our users' accounts without a password. The investigation has identified user accounts for which we believe forged cookies were taken or used.  Yahoo is in the process of notifying all potentially affected account holders. Yahoo has invalidated the forged cookies so they cannot be used again."

According to someone with knowledge of the investigation, the notifications are part of the final phase of the investigation of the breach, and the latest notifications were for a nearly finalized list of victims of the breach.

Channel Ars Technica