Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13
264 posts

Ultimate Geek
+1 received by user: 46


  Reply # 759404 11-Feb-2013 12:09
Send private message

From what I understand this isn't about passwords being compromised. Instead the XSS vulnerabilities grab a copy of the cookie Yahoo gives you when you log in (webmail, possibly other Yahoo services as well). Whoever or whatever presents Yahoo with that cookie is treated as you, until the cookie is invalidated (e.g. the time limit on the cookie expires, or you change your password).

As this has been going on with Yahoo worldwide for months, it is disappointing to see they still aren't on top of it. One XSS problem gets fixed, and the spammers find another one.

13751 posts

Uber Geek
+1 received by user: 3242

Trusted
Subscriber

  Reply # 759406 11-Feb-2013 12:10
Send private message

sleemanj:
networkn:  Also each account is sending to all it's address book entries etc as well, which also couldn't happen via phishing.


While I'm not convinced that this is only the XSS phishing attack in play at all, it's not entirely correct to say that a phisher can't get your address book entries.  

I believe that the webmail by Yahoo/Xtra collects address book entries automatically, but in any case, the Yahoo XSS phishing hack from last month allows the attacker access to your webmail (by stealing your cookies) including the addressbook therein.

So yes, if this were the XSS phishing attack in use, they can (and would) send to your address book.



No I was saying that the act of Phishing (in and of itself) will not give them access to your address book. That isn't to say that same phisher couldn't gain access via other methods like the XSS (not phishing)

Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication.


 
 
 
 


68 posts

Master Geek


  Reply # 759409 11-Feb-2013 12:21
Send private message

This whole situation seems odd - one of these emails was sent from an old address of mine and I received it as my current address is in the address book (I haven't used this address for over a year - and have never used the account for anything other than sending a couple of emails).

Telecom should really take a front foot approach and contact all users to get them to change their passwords (as opposed to being reactive).

13751 posts

Uber Geek
+1 received by user: 3242

Trusted
Subscriber

  Reply # 759412 11-Feb-2013 12:27
Send private message

Tokes: This whole situation seems odd - one of these emails was sent from an old address of mine and I received it as my current address is in the address book (I haven't used this address for over a year - and have never used the account for anything other than sending a couple of emails).

Telecom should really take a front foot approach and contact all users to get them to change their passwords (as opposed to being reactive).


LOL any idea how long that would take ? They are the largest ISP in NZ!

12550 posts

Uber Geek
+1 received by user: 1402


  Reply # 759422 11-Feb-2013 12:32
Send private message

networkn:
Tokes: This whole situation seems odd - one of these emails was sent from an old address of mine and I received it as my current address is in the address book (I haven't used this address for over a year - and have never used the account for anything other than sending a couple of emails).

Telecom should really take a front foot approach and contact all users to get them to change their passwords (as opposed to being reactive).


LOL any idea how long that would take ? They are the largest ISP in NZ!


An hour to write the email and send to their client database. They should force a password change when signing into Web mail.

13751 posts

Uber Geek
+1 received by user: 3242

Trusted
Subscriber

  Reply # 759425 11-Feb-2013 12:35
Send private message

mattwnz:
networkn:
Tokes: This whole situation seems odd - one of these emails was sent from an old address of mine and I received it as my current address is in the address book (I haven't used this address for over a year - and have never used the account for anything other than sending a couple of emails).

Telecom should really take a front foot approach and contact all users to get them to change their passwords (as opposed to being reactive).


LOL any idea how long that would take ? They are the largest ISP in NZ!


An hour to write the email and send to their client database. They should force a password change when signing into Web mail.


Ok well I assumed (silly me) that he was suggesting calling. 

The requirement to change password is reasonable.


12550 posts

Uber Geek
+1 received by user: 1402


  Reply # 759432 11-Feb-2013 12:36
Send private message

I got another this morning so the problem is still going on. The problem is that they haven't said what has caused it, apart from saying it was fixed.

BDFL - Memuneh
58086 posts

Uber Geek
+1 received by user: 9630

Administrator
Trusted
Geekzone
Subscriber

  Reply # 759434 11-Feb-2013 12:43
Send private message

mattwnz: An hour to write the email and send to their client database. They should force a password change when signing into Web mail.


And those who never access the webmail would have no idea why their POP access stopped working, and there'd be a wave of calls to the help desk.

No, there must be another way.





12550 posts

Uber Geek
+1 received by user: 1402


  Reply # 759446 11-Feb-2013 13:05
Send private message

freitasm:
mattwnz: An hour to write the email and send to their client database. They should force a password change when signing into Web mail.


And those who never access the webmail would have no idea why their POP access stopped working, and there'd be a wave of calls to the help desk.

No, there must be another way.



You can force a password change in some systems by allowing people to log in using their old password, and then they are forced to change that password after they login, before they can access their email. SOme online banks do this, so people regularly change their banking password.  Therefore it shouldn't affect pop access until the person has logged into webmail and changed the password.

BDFL - Memuneh
58086 posts

Uber Geek
+1 received by user: 9630

Administrator
Trusted
Geekzone
Subscriber

  Reply # 759450 11-Feb-2013 13:10
Send private message

Which means people would still be vulnerable...





12550 posts

Uber Geek
+1 received by user: 1402


  Reply # 759471 11-Feb-2013 13:21
Send private message

freitasm: Which means people would still be vulnerable...



Yes, but they are still vulnerable now anyway, until they change the password. This would at least make more people change their password. I would think that many people who use webmail probably have never changed their password in the past, nor the process of how to do it. A force password change on login would help, but if their is an exploit still then it probably will only be a short term help. But then again, I am not paid hundred of thousands or millions to work for telecom in this area, to work out a fix for the problem.


121 posts

Master Geek
+1 received by user: 9


  Reply # 759477 11-Feb-2013 13:32
Send private message

mattwnz:
freitasm:
mattwnz: An hour to write the email and send to their client database. They should force a password change when signing into Web mail.


And those who never access the webmail would have no idea why their POP access stopped working, and there'd be a wave of calls to the help desk.

No, there must be another way.



You can force a password change in some systems by allowing people to log in using their old password, and then they are forced to change that password after they login, before they can access their email. SOme online banks do this, so people regularly change their banking password.  Therefore it shouldn't affect pop access until the person has logged into webmail and changed the password.

I can give you the example that I pretty much have not used my Xtra account in over a year. I just have it on iOS as a mail account. Tell me in your scenario above, how that gets sorted?

347 posts

Ultimate Geek
+1 received by user: 26


  Reply # 759480 11-Feb-2013 13:36
Send private message

Just rang Telecom (philippines) to close my old Xtra account.  For anyone like myself who has an old account they don't use I'd recommend doing the same.  I don't use it and don't appreciate my old address book being hacked at the Yahoo servers and then being accused it is my fault.

It has been such a long sad service form Telecom/Yahoo.  They do seem to suite each other though.

Get yourself a domain name for $20/year and host your email where you like,  Google seems to be pretty reliable.

I am so glad that my last contact with Xtra has finally gone.  What a sad bunch they are.  I deal with many other email and hosting provider and not one is anywhere as bad as Xtra.

Sorry for the rant but when you get lied to by Xtra, as we all have been today, it's time to remind Xtra/Telecom of what a terrible dreadful poor service they offer and how customer don't appreciate being treated like fools.

2313 posts

Uber Geek
+1 received by user: 362

Trusted

  Reply # 759481 11-Feb-2013 13:37
Send private message

I just heard on the radio that Xtra has said its not their or Yahoo's faults its happening and they have nothing to do with it.

 (But you know the Media)

12550 posts

Uber Geek
+1 received by user: 1402


  Reply # 759482 11-Feb-2013 13:37
Send private message

drquack32:
mattwnz:
freitasm:
mattwnz: An hour to write the email and send to their client database. They should force a password change when signing into Web mail.


And those who never access the webmail would have no idea why their POP access stopped working, and there'd be a wave of calls to the help desk.

No, there must be another way.



You can force a password change in some systems by allowing people to log in using their old password, and then they are forced to change that password after they login, before they can access their email. SOme online banks do this, so people regularly change their banking password.  Therefore it shouldn't affect pop access until the person has logged into webmail and changed the password.

I can give you the example that I pretty much have not used my Xtra account in over a year. I just have it on iOS as a mail account. Tell me in your scenario above, how that gets sorted?


Telecom would email your account to tell you about the problem, and to log into webmail and change your password. 
Those accounts that are inactive, and say haven't been used for 6 months, they should probably disable anyway, or automatically change the password on.

However apparently the exploit people have been talking about, is not the reason for the problem according to this story http://www.stuff.co.nz/technology/digital-living/8287236/Xtra-email-accounts-compromised

Quote -  Telecom said neither it nor its outsourced email provider YahooXtra were responsible for a massive malware attack on Kiwi internet users that began over the weekend.

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Whatever ailed Vodafone broadband … seems to be fixed
Posted 23-Jun-2017 14:10


VMware NSX Meets Stringent Government Security Standards with Common Criteria Certification
Posted 22-Jun-2017 19:05


Brother launches next-generation colour laser printers and all-in- ones for business
Posted 22-Jun-2017 18:56


Intel and IOC announce partnership
Posted 22-Jun-2017 18:50


Samsung Galaxy Tab S3: Best Android tablet
Posted 21-Jun-2017 12:05


Wellington-based company helping secure Microsoft browsers
Posted 20-Jun-2017 20:51


Endace delivers high performance with new 1/10/40 Gbps packet capture card
Posted 20-Jun-2017 20:50


You can now integrate SMX security into Microsoft Office 365, Google and other cloud email platforms
Posted 20-Jun-2017 20:47


Ravensdown launches new decision-making tool HawkEye
Posted 19-Jun-2017 15:38


Spark planning to take on direct management of all consumer stores
Posted 19-Jun-2017 10:03


Qrious acquires Ubiquity
Posted 14-Jun-2017 12:21


Spark New Zealand prepares for 5G with Nokia
Posted 14-Jun-2017 12:16


The future-proof 10.5-inch iPad Pro
Posted 13-Jun-2017 18:16


Mandatory data breach reporting in Australia
Posted 13-Jun-2017 11:30


Review: Sony MDR-1000X noise-cancelling headphones
Posted 12-Jun-2017 08:08



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.