A recent article published by Bitdefender cites an unpatched WordPress bug for causing security issues since the beginning of the year for certain Yahoo users. The security website, which offers services such as USB immunization, mobile security and quick scans, released the statement approximately one month after Yahoo users began experiencing access denial to their accounts.
The Bitdefender article states that “a spam wave that has been circulating for roughly a month is stealing Yahoo login credentials by exploiting an old – yet unpatched – vulnerability in a component of the Yahoo Developers blog. The spam message features a bit.ly shortened URL that takes the user to a web page impersonating the popular MSNBC page, but which turns out to be located on a series of subdomains on hxxp://com-im9.net. Whois information for the domain reveals it was bought in Ukraine and hosted in a data center in Nicosia, Cyprus.
ZDNet News Coverage
The story has been picked up by ZDNet.com, which published an article on February 1st advising readers that “earlier in the year, a security issue saw Yahoo users lose control of their accounts. While the attack relied on customers clicking on a link to a malicious site, it was unknown how attackers were able to retrieve the session cookies required, since the site was not on a Yahoo domain.
The WordPress blog that enabled the attack was Yahoo’s own developer network site, which resides on the developer.yahoo.com domain. This meant that upon compromising it, hackers were able to access session cookies for the yahoo.com domain, and then send them back to themselves.”
November 2012 Detection
A poster who goes by the name MustLive published a full disclosure entry on November 9th, 2012 in order to give developers a heads up on potential vulnerability issues related to the flaw. WordPress Versions 2.5 through 3.3.1 were listed by the WebSecurity.com researcher as being susceptible to breaches.
The poster MustLive wrote that “in April there was announced Cross-Site Scripting vulnerability in swfupload.swf in WordPress (CVE-2012-3414). It was fixed in WordPress 3.3.2. At that time there was no detailed information about it. Last week I’ve noticed, that people begun disclosing this XSS hole in swfupload.swf in other web applications (as in one WP plugin, where I found it). So the details of this hole was already disclosed, which [led] to new advisories with XSS in this flash file in other webapps. After that I’ve made research and here is information about different versions of this swf-file (with different names) and all versions of WordPress, which contain any of these swf-files. I.e. not one swf (mentioned by Neal Poole), but two swf’s with different names have this XSS.”
Bitdefender ended its blog entry by explaining how users’ cookies are illegally obtained.
“Since the exploitable component is located on a sub-domain of the target website, the same-origin policy does not prevent the exploit code access to cookies, which are subsequently sent to the attacker. Once they have the log-in cookie, they can authenticate into the victim’s account and send spam or harvest contacts’ e-mail addresses for other spam campaigns. We believe this is the account recruitment stage of the operation and we expect the next wave of messages to feature links to malware.”
We will continue to keep an eye on this story and advise our readers of any new information, including newly released fixes.