What would you do if you found out that your most trusted email account has been creating problems for you? More so, how would you feel if you can do nothing to stop it? Hackers are yet again having a field day and making Yahoo mail users vulnerable to threats.
The loophole has been created by none other than the mail service provider itself, wherein a simple script put in an email can give access to hackers without them even knowing the password.
The vulnerability was spotted by TechDefence, a security solutions company started by ethical hacker Sunny Vaghela three months back, when the problem had just started. This vulnerability allows a hacker to get access to anybody’s Yahoo account without hacking the mail, or by generating a password, or by infecting it with a trojan or virus.
Explaining the procedure, Vaghela says that hacking the email account is very simple. “The person who wants to hack an account just needs to send an HTML script in an email which would give access to the targeted email account through the cookies generated by the service provider. Every website that is opened by an Internet user generates cookies containing its data. These cookies are present till the website is in use. The cookies are only deleted when the user closes the website and clears the cache,” Vaghela tells you.
Explaining the anonymity of the script, Vaghela says, “The uncanny thing is that the HTML script can’t be detected by any phishing filter, spyware filter or the best anti-virus software as it can’t be categorised as a trojan or a virus considering that it is just a common HTML link.”
“A Yahoo user’s account can get hacked by just clicking on the email sent in by the hacker. The script present in the mail will grab all the cookie information on the browser and send it to the hacker. This gives him complete access to the email account. I have tried the same on other service providers, but it could not be done as the loophole lies with the coding of Yahoo mail,” Vaghela adds.
The menace of this does not just end with hacking of the Yahoo mail account. “Not only Yahoo, but all the information available on the browser can be stolen. All the sites, gateways which require Yahoo ID can be accessed after that. Which means, if a person accesses a job site, social networking site or has the Yahoo mail ID as an alternate ID to another mail, it will give access to all. The shocking thing is that the hacker’s IP address is not at all going to be logged on Yahoo server even though he can access the victim’s account,” Vaghela says.
Vaghela also sent an email to yahoo.com informing them about this problem when it started, but he has not received any reply from them.
In the recent past, Pakistani hackers have successfully targeted various websites and officials emails of Government of India bureaucrats to steal sensitive data. Considering the fact that the script sent in by the hacker can steal all browser information makes it even more important to stop this menace.
“I am worried because many Pakistani hacker groups are misusing this vulnerability and hacking into Indian Yahoo users’ accounts. This issue needs to come into the limelight so that people/users can become aware and take countermeasures for the same,” Vaghela says.
What is even more worrisome is that no one can stop the hackers from doing this. Added to that is the fact that none of the Internet browsers support blocking scripts that do not have the website’s stamp on them, except Mozilla Firefox.
“Even in Mozilla, an add on has to be installed to make it work. Given the fact that most people do not know about add ons, the vulnerability of users continues to exist. It is only Yahoo which can fix this error by disallowing HTML scripts to be attached to the emails,” Vaghela concludes.
Would love to here from you...