Yahoo !: Re-hacking 32 million accounts at risk - TechnoTron



Posted by: TechnoTron 03/03/2017



Vuelven a hackear a Yahoo!: 32 millones de cuentas en peligro

"In 2013 and 2014, the company compromised 1.5 billion user accounts. Despite the danger, a new vulnerability has allowed the Yahoo! hacking and other 32 million accounts."





Thirty-two million, that's the number shuffled this time by the security report released by the National Securities and Exchange Commission (SEC) of the United States. Research has revealed that user accounts have been compromised by a so-called cookie-forging attack that allows hackers to access accounts without having to provide user or password. This new security breach only exacerbates a tense situation on the part of the company. Yahoo! has already suffered two massive bugs that have compromised the accounts of 1.5 billion people in the last three years. The National Securities Market Commission has accused several board members of failing their obligations to users by not understanding or assessing previous security breaches.



Cookie-forging attack






"In the past November and December 2016, we announced that external forensic experts were investigating the creation of forged cookies that could allow an attacker to access user accounts without a password. , We believe that unauthorized "third parties" have accessed the company's proprietary code to learn how to design such cookies.Forensics have identified approximately 32 million user accounts for those who believe that fake cookies were used to hack them between 2015 and 2016 We believe that part of this activity is related to the same "actor" responsible for the security incident of 2014. The false cookies have already been invalidated by the company so that user accounts can not be used and endangered again " .



As explained in the report, in Yahoo! hacking has been used a sophisticated technique called cookie-forging attack in which have been used cookies, or small pieces of information stored to "cheat" the website. Cookies are stored for the convenience of the user. For example, they allow access to a site after some time has passed without having to re-identify us. They also help us recover data without having to re-enter it. In this attack, the alleged hackers have used such pieces of information to violate the user's security in a way that the Yahoo! website believed was actually before a user who had previously entered to view his account. This possibility has been discussed for some time, when several experts pointed out the potential danger of cookies for security.



For us to understand, when we are browsing we usually accept the cookies of the sites we visit. Its main functions are to take control of the users, to collect information about their browsing habits and to store information to expedite the procedures. The general purpose of cookies is usually to create a more comfortable browsing environment. So when we first identify to a Yahoo! account we do not need to re-do it as we navigate the page unless we consciously leave. The piece of information that keeps our identification (or the order that tells the page that we have already identified) is the cookie. The hacking of cookies false uses stolen cookies (something relatively simple) and injection of cookies to deceive the server by telling him that the hacker was actually identified, so he does not ask for the user's password, being able to access all the Private account information or even modify it without problems.



And there are already three




This incident has been widely denounced by the SEC due to the previous attacks of 2013 and 2014 that violated the account of more than 1,500 million users. Most critical is that on previous occasions, cookies also played an important role in hacking.



"An independent committee has found that these failures in communication, management, research and internal information have contributed to the lack of understanding and management of the situation as of the 2014 incident."



With these words, the committee accuses the executives of not having taken the appropriate letters in the matter despite having already lived the previous security breaches. And all this after the company's statement to be aware and have taken the appropriate measures after the attack of 2014. Marissa Mayer, current CEO of Yahoo!, has stated in a message from his own Tumblr that he is aware of the seriousness Of the matter and that, despite having tried to put measures to remedy the potential problem, it will take responsibility for the judgment. This means that the CEO will reject part of their profits this year and will distribute it among the workers of Yahoo!. Meanwhile, the SEC has requested evidence to prove the legitimacy of the decision to withhold information from investors, with the harsh consequences this might have for the company. 

Comments

Popular posts from this blog

Twitter: change your profile image by default, the end of snake eggs - "TechnoTron"

Windows 10: with Ubuntu Bash Console how to use it - TechnoTron

WhatsApp: discover if you are spied on when using WhatsApp Web