Yahoo has sent out another round of notifications to users, warning some that their accounts may have been breached as recently as last year. The accounts were affected by a flaw in Yahoo’s mail service that allowed an attacker—most likely a “state actor,” according to Yahoo—to use a forged “cookie” created by software stolen from within Yahoo’s internal systems to gain access to user accounts without a password.
Yahoo informed some users in e-mails this week that “Based on the ongoing investigation, we believe a forged cookie may have been used in 2015 or 2016 to access your account.” Some users are receiving messages regarding possible breaches using the cookie vulnerability in 2014.
The Associated Press’ Raphael Satter reports that a Yahoo spokesperson acknowledged the company was notifying users of the potential breach of their accounts, but would not disclose how many users were affected.
One recipient of the alert, Joshua Plotkin of the University of Pennsylvania’s Plotkin Research Group in Mathematical Biology, posted a screen shot of the message to Twitter:
— Joshua B. Plotkin (@jplotkin) February 15, 2017
The vulnerability itself is not a new revelation. Yahoo previously announced the cookie-based attack quietly in an SEC filing in October 2016. “Forged cookies could allow an intruder to access users’ accounts without a password,” Yahoo explained in a security notice originally posted on December 14, 2016. “Based on an ongoing Yahoo investigation, we believe an unauthorized third party accessed our proprietary code to learn how to forge cookies.”
The user notifications come as negotiations for Yahoo’s acquisition by Verizon are nearing a close. According to a Bloomberg report, the series of security woes uncovered during the acquisition process have resulted in Verizon negotiating down Yahoo’s $4.8 billion pricetag by $250 million.
https://arstechnica.com/information-technology/2017/02/yahoo-reveals-more-breachiness-to-users-victimized-by-forged-cookies/ via https://arstechnica.com #CIO, #Technology