WATCH YOUR WEBSITE
Sources : Times News Network
Date of Publishing:1/8/2010
City-based hacker discovers loopholes in Yahoo! mail system that allows access to user’s personal data
You visit a popular website on your web browser while other applications such as mails, social networking sites and official work are running in other window. After some time, your Gmail password is changed and your Facebook account reads, "I am hacked". You are lost as you have not clicked anywhere or opened any harmful programme. It's all thanks to your one visit to the site with a cookie.Ahmedabad: Welcome to the new world of snooping and espio n a g e. H e re, h a cke r s don't need to intrude in your system to k n ow what you are up to in the cyber space. All they have to do is to make you click on a particular website while your Yahoo! mail is open in the same browser. Rest will be taken care of by the 'extractor' who will have access to all the tabs you have opened at one go.
This is an anomaly discovered by citybased cyber crime expert Sunny Vaghela recently. According to him, the loophole is widely used all over the world by many hackers to keep an eye on the targets in lieu of money or information.
"It is a simple code by which the hacker grabs the cookie from your browser. This can be done by sending you a link or a photograph or a simple invite. We have registered it with Yahoo! applications in which you are logged in - be it mail or messenger. It enables a hacker to grab the cookie during transmission. Once he gets it, he can just refresh his window and see all your accounts on his screen," says Vaghela.
Once the hacker gets access to one account, it is not very difficult to go hopping on to other windows. In this case, if you have three accounts open simultaneously, which is very common nowadays, consider them hacked. The accounts can then be used as per the hacker’s wish.
"I can also be a silent observer. I can go through your entire inbox and private messages, without even letting you know that I am your companion in social networking and world of emails. It is a bit different system adopted by Chinese hackers who hacked into umpteen Indian sites with the help of trojans. However, it is as effective," says Vaghela. The trick is, the cookie will be accepted as a standard HTML script not detected by anti-phishing, anti-spam filter or anti-virus. As every visit on internet generates cookies, the user cannot understand where all the data is going. If hackers are to be believed, the vulnerability is already exploited world over.
Hackers also warn against remaining logged in permanently. According to them, the username and passwords are then stored into a cookie that gets ref re s h e d every time you open it on your browser. If the hacker is awaiting a crispy cookie, he can get the data and enter your account with ease.
Yahoo! has acknowledged the loophole, says Vaghela. "Compared to other mailing services, Yahoo! has yet to plug some of the bugs. The officials have shown interest in the problem and have sent a mail on Monday. I have explained to them the anomaly and also how it can be solved. If it is implemented, hackers will have to search for some other door to enter," he says.
Web Resource for Times e Paper(For the above mentioned article): http://epaper.timesofindia.com/Default/Scripting/ArticleWin.asp?From=Search&Key=TOIA%2F2010%2F08%2F01%2F2%2FAr00201.xml&CollName=TOI_AHMEDABAD_ARCHIVE_2009&DOCID=198178&Keyword=%28%3Cmany%3E%3Cstem%3ECyber%3Cand%3E%3Cmany%3E%3Cstem%3ECrime%29&skin=pastissues2&AppName=2&ViewMode=HTML&GZ=T