Spam attack: A plain English guide for YahooXtra

Photo / Thinkstock

Amid much confusion over the source of the YahooXtra hacking debacle, an IT expert has released a "plain English" explanation describing what really happened, warning users never to use the "remember me" check box when logging in.

Paul Matthews, CEO of the Institute of IT Professionals NZ, wrote the backgrounder, complete with advice on how to proof your email from future hacking attempts.

He first points out that the problems lie largely with Yahoo, which Telecom outsourced their email service to back in 2007.

Yahoo has been playing a game of "cat and mouse" with hackers since November last year, Matthews writes, when a hacker going by the name of The Hell discovered a major vulnerability on Yahoo's servers and sold it on a black hat security forum for $700.

The vulnerability apparently came about thanks to Yahoo's failure to keep its blog software up to date - a widely recognised security hole on the Yahoo subdomain developer.yahoo.com that that had been around for close to nine months.

Because developer.yahoo.com is a subdomain of yahoo.com, cookies - the small files that remember who you are on a website - are accessible to that site.

The security hole allowed the hackers to plant a script on the developer site that could read the Yahoo login cookie from any browser, anywhere, which would then be sent "home" to the hacker, Matthews says.

With access to those details, full control meant that the victim's Yahoo - and YahooXtra - email accounts were at their mercy.

All a customer had to do to be vulnerable was log in to Yahoo or YahooXtra sometime in the last year and tick "remember me" box.

It made no difference if the account hadn't been used in months.

To reproduce the attack, the hackers needed users to visit a webpage that had the XSS attack code on it - hence the links in the email.

Telecom initially blamed the ensuing spam attack on a "phishing" attempt, but later admitted that the Yahoo email service had been hacked.

Matthews writes that this was not a phishing attempt because it wasn't designed to trick you into giving out any personal details.

Rather it took users to a webpage that used the vulnerability on the Yahoo Developers Network to lift their cookie information, gaining access to the webmail account.

Once the hackers had access to the account, a script was used to send out an email to everyone in its address book, telling them to look at the link.

And we all know what happened then.

Even Telecom chief executive Simon Moutter fell victim to the attack when he opened an email and clicked on the link.

Telecom advised victims to change their password, but feedback from users has indicated that this didn't completely fix the problem.

"Contrary to reports, changing your password really isn't going to help in this case (although it may have killed the cookie depending on Yahoo's setup) and updating virus protection wouldn't help either. Although it's still a good idea, of course," Matthews says.

Yahoo disputes this, saying they can give "every assurance that it does rectify the situation".

More than 50,000 YahooXtra customers have already changed their passwords and Telecom is now advising that all 450,000 do the same.

And while Matthews says there isn't much we can do about the attack now that it's happened, he does offers a few tips on how to avoid similar scams in the future.

- It's a good idea to, firstly, log out. Once logged out the session is "dead" and the account cannot be accessed.

- Make sure you always log out as closing the browser window won't suffice.

- And never use the "remember me" checkbox on webmail, no matter how inconvenient it is to log in every time.