14 DAY TRIAL // A security researcher has exposed a vulnerable Yahoo Web service that has been abused by spammers to enumerate valid Yahoo! IDs or brute-force login credentials for years. The attacks are possible because the company failed to apply the same security checks to the API as it did to the webmail interface.
Ryan Barnett, the director of application security research at Breach Security, has detected the intriguing brute force during his work as leader of the Web Application Security Consortium's (WASC) Distributed Open Proxy Honeypot Project. This project allows researchers to monitor attacks that make use of open proxies by deploying a few rogue ones under their control.
Using a single one of these sensors, the “WASC DOPHP has identified a large scale distributed brute force attack against what seems to be a web services authentication systems aimed at ISP or partner web applications,” Barnett warns. The targeted authentication system is deployed across many Yahoo! servers and can be located by doing a special Google search.
According to the researcher, there are a few components that make these attacks possible and/or successful. First of all, this system doesn't seem to count or limit the number of retries, but, even if it did, the attackers are using methods to bypass detection anyway. These techniques involve distributing requests through multiple open proxies, targeting the vulnerable API hosted on multiple Yahoo! servers, as well as submitting different user/password combinations on every attempt in order to thwart tracking attempts.
Furthermore, unlike the webmail authentication page that, on a failed login attempt, responds by saying that the username or password were incorrect, this service reveals exactly which of them was bogus. Using this design flaw, attackers are able to enumerate valid usernames by trying strings from huge lists and watching how the API responds.
The collected usernames can be sold to spammers or used for password brute-forcing, which is apparently not hard to do via this system either. The regular webmail interface will introduce a CAPCTHA validation after a preset number of failed login attempts is reached, a security mechanism that the API lacks. Compromised Yahoo! accounts can be a gold mine for spammers, because e-mail traffic originating from Yahoo's webmail is generally not filtered by ISPs.
According to Barnett, this flaw is not new and has been reported to Yahoo! since at least one year ago. Other security researchers note that Yahoo! is not alone in this mess and that other websites providing APIs, such as most social networks, are exposed to similar attacks. “We are investigating the situation and will take appropriate action,” a Yahoo! spokesperson told The Register.