Yahoo! has strengthened its webmail filters after researchers at Trend Micro detected a JavaScript attack last week that was targeting its users. In the past, vulnerabilities within webmail platforms have been used to compromise accounts maintained by journalists and activists.
On Friday, Trend Micro said that they had detected several emails being used in targeted attacks that contained JavaScript in the “From” field. The code was attempting to launch a DOM-based XSS attack, which would presumably yield access to the victim’s account to the attacker – that is, if the attack had worked like it was supposed to.
“We were not able to replicate the attack successfully. We have been in touch with Yahoo! about this problem. They, too, were unable to replicate this attack successfully at that time. However, to protect users against any such problems Yahoo! has strengthened their filters that sanitize user emails in order to protect against these kinds of attacks,” Trend explained in a blog post.
Last summer, Yahoo improved security after a similar attack targeted their users, and Google revealed that attackers were targeting a flaw in MHTML in order to attack journalists and activists, who were targeted via Facebook. Around the same time in Taiwan, a Phishing attack exploited vulnerabilities in Hotmail, which would lead to account compromise so long as the malicious message was viewed.
Clearly, as Trend notes, criminals are no strangers to using vulnerabilities in hosted applications “in order to compromise Webmail accounts, to monitor communications, and to gain information in order to stage future attacks.”
“It shouldn’t be a surprise that they’ve become targets as well: just about everyone uses these free services, and users don’t expect these services to have security problems of their own. As we’ve highlighted before, vulnerabilities like these are used in targeted attacks. Whether it’s vulnerabilities in user software or cloud-based services like free webmail, vulnerabilities allow attackers to compromise systems without the target being aware that anything has happened.”
