Security flaws in Yahoo Mail

andrew shieh (shandrew@LELAND.STANFORD.EDU)
Sun, 12 Oct 1997 21:45:13 -0700

Yahoo recently opened a free, web-based mail service at
http://mail.yahoo.com/. I believe they purchased this from Four11 or
Rocketmail.

It has several security flaws in its POP server access. It has a
capability to read external mail into your yahoo mail account via POP3.
This works fine.

However, the set up for the pop mail is flawed.

It asks you for mail server, username, and password, and records this,
so next time you login to your Yahoo mail account, the settings are
retained. This worries me.

The mail interface requires javascript. This worries me.

The mail interface uses cookies with long expiration times to
authenticate you. This worries me.

The multiple major flaws are in the setup for external accounts. When
you login to the yahoo account and check the settings for external
accounts, the mail server, username, *and password*, are printed as
default form values. Although the password is bulleted-out on screen,
*it is sent twice in the html source*, thus can be easily viewed. This
is completely unnecessary--the user should retype a password if
settings are being changed. Additionally, since the web page sends no
immediate expires: header, this page gets cached on disk (for a long
period of time) by many web browsers.

The Yahoo mail support pages seem to indicate that they are somewhat
aware of some security issues, but this is not a difficult one to fix.

If someone has access to your cookies or your cache, they can easily
access the cleartext password of any external mail account you have set
up on Yahoo.

The Lesson: Never use Yahoo mail on a shared computer without clearing
the cache and cookies afterwards. Never use it to access other pop
accounts.

--
Andrew Shieh