Yahoo Reveals Cookie Forging Activity Led to Account Breach

NEWS ANALYSIS: Yahoo's latest security disclosure provides insight into how attackers forged cookies to access 32 million user accounts, in at attack that security experts see as being preventable.

Software Flaws

Yahoo has been attacked by a variety of different means in recent years, among them is a cookie forging attack the company publicly detailed in its 2016 10-K filing with the U.S. Securities and Exchange Commission (SEC).

The cookie forging activity was discovered as part of an investigation that Yahoo announced in December 2016 involving a breach of one billion Yahoo user accounts. According to Yahoo's 10-K filing, the company engaged with third party forensic experts that did an analysis looking for potentially forged cookies.

A cookie is a widely-used internet approach to storing browser session variables and preferences. Yahoo's forensic investigators determined that the forged cookies enabled an attacker to access users' accounts without a password.

"Based on the investigation, we believe an unauthorized third party accessed the Company's proprietary code to learn how to forge certain cookies," Yahoo stated. "The outside forensic experts have identified approximately 32 million user accounts for which they believe forged cookies were used or taken in 2015 and 2016 (the "Cookie Forging Activity")."

Yahoo added that it has invalidated the forged cookies so they can no longer be used to access user accounts.

Using cookies as a way to attack a company is not an entirely new or unique idea and security experts contacted by eWEEK were not all that surprised by Yahoo's disclosure.

Nathan Wenzler, chief security strategist at AsTech, a San Francisco, Calif. based security consulting company, commented that session hijacking with cookies is a fairly well-known attack vector for sites that do not secure communications with their users.

Wenzler explained that many sites will encrypt the communication during login, but leave the rest of the session out in the clear. By leaving some of the browser session in the clear and unencrypted, an attacker can potentially monitor the communication and ultimately, use a forgery of a proper cookie to conduct a man-in-the-middle attack to make it seem like the attacker is the legitimate user.

"This has become less and less commonplace as the encryption of all sessions is becoming a more common function for most websites, so there are fewer overall incidents to report," Wenzler said.

Protecting cookies and browser sessions is generally achieved by encrypting the communication between the user and the site during the entire duration of the session, and not simply at login. Additionally, Wenzler noted that organizations can better manage the cookies they assign to their legitimate users. Among the cookie management techniques Wenzler advocates is to ensure that the session IDs are long and randomly generated, that the cookies are short-lived and are not reused after the existing session is complete, and to regenerate the session ID after login and the encrypted channel is established.

"For users, it's always a good idea to log off of websites and services if you're not using them any longer, as this will forcibly end the session and, ideally, invalidate the session cookie and ID so that it can no longer be used fraudulently by an attacker," Wenzler said.

While protection of browser sessions from cookie forgery is important, there is another key aspect to Yahoo's latest security disclosure. Sanjay Kalra, co-founder and chief product officer at Lacework, a Mountain View, Calif. based provider of cloud security solutions, noted that in his view the main security issue is the third party access to Yahoo's proprietary code, which enabled the attackers to learn how to forge certain cookies.

"If the hackers can get to your Cloud/Data Center and access your source code to learn your weaknesses, no amount of defense post-breach is useful," Kalra told eWEEK. "As first line of defense, enterprises today need to focus on breach detection and insider threat detection to protect their crown jewels in the cloud and data center."

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.