HackDig : Dig high-quality web security articles for hackers

Some Yahoo Users Exposed to Hacking Due to Bug in Yahoo Mail iOS App

2016-10-01 01:20

A password-pinning bug in the Yahoo Mail iOS app might leave users exposed hacking and unaware that someone could have taken over their accounts, even if they changed their passwords, as Yahoo recommended in its recent data breach alert.

"Upon investigating, it became clear that Yahoo had issued a permanent credential to the device," said the Trend Micro Zero-Day Initiative (ZDI) team. "This credential does not expire and is not revoked when the password changes."

According to Trend Micro security researcher Simon Zuckerbraun, who discovered the issue, a hacker that already had access to a Yahoo Mail account's password, could maintain access to the target's inbox using the iOS app, even if the victim changed its password.

The issue does not affect the Android version of the Yahoo Mail app, according to a Softpedia test.

Bug poses problems in context of recent Yahoo mega breach

Users who read the Yahoo data breach announcement last week, and went to change their passwords, were never prompted to re-login on their iOS devices.

This bug means that if a threat actor had compromised their accounts and was accessing their email inbox from an iOS device, he'd be able to continue accessing the user's account after the password reset.

But there is a way from preventing this from happening. The easiest way is to enable two-step verification, in the Yahoo account security tab.

Users should manually sign-out all iOS devices from their account

The second is to go in the Yahoo account "Recent activity" section and sign-out all synced iOS devices, so they'll be required to re-authenticate.

Other applications and services, such as Google or Skype, do this automatically. Yahoo does this too, but the iOS app's "permanent credential" bug causes this unexpected issue.

Yahoo "Recent activity" tab
Yahoo "Recent activity" tab


Source: -ppa-soi-liam-oohay-ni-gub-ot-eud-gnikcah-ot-desopxe-sresu-oohay-emos/swen/moc.aideptfos.swen

Read:5350 | Comments:0 | Tags:Security Fixes and Improvements IOS

“Some Yahoo Users Exposed to Hacking Due to Bug in Yahoo Mail iOS App”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Tools