Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Yahoo admits that 2012 breach might include a post-hack cookie problem


  • Please log in to reply
1 reply to this topic

#1 JohnC_21

JohnC_21

  • Members
  • 24,009 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:08:50 PM

Posted 10 November 2016 - 06:29 PM

YAHOO IS REMAINING RELEVANT by continuing to release information about the hack on the company's systems in 2012 which has only recently come to light.
 
The hack was a big one, and Yahoo has tackled it publically for some time. We know, more or less, how many people were affected, and we know that a lot of them used passwords that deserve a shovel to the back of the head.
 
Now, thanks to a filing with the US Securities and Exchange Commission (SEC), we know that Yahoo is concerned that the hackers left some bad cookies that might still be a source of concern.
 
"Forensic experts are currently investigating certain evidence and activity that indicates an intruder, believed to be the same state-sponsored actor responsible for the security incident, created cookies that could have enabled the intruder to bypass the need for a password to access certain users' accounts or account information," the company said.

 

Article

 

It was a pain but I finally dumped Yahoo mail and haven't looked back. 

 

 



BC AdBot (Login to Remove)

 


#2 JohnnyJammer

JohnnyJammer

  • Members
  • 1,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:10:50 AM

Posted 13 November 2016 - 07:07 PM

LOL @ this

"Forensic experts are currently investigating certain evidence and activity that indicates an intruder, believed to be the same state-sponsored actor responsible for the security incident, created cookies that could have enabled the intruder to bypass the need for a password to access certain users' accounts or account information," the company said.

This was well known and incredibly easy to achieve, it was also common for a lot of people to create a text file and dump the cookies in there for later use because when you created a booter/chat client for yahoo's YMSG, you would save a huge amount of time through the login process by already having the cookie in a file so the only thing you validated was the cookie (No username && password needed).

manipulating the T= would allow you to set the time and date to 1/1/1970 (Convert to epoch) and login with out a password! I was doing this well before 2012 :|






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users