Yahoo’s Cookie Monster


Information is now seeping out from Yahoo providing some details of the methods used to comprise the accounts of over 1 billion user accounts. In a press release, Yahoo said their investigation has revealed that “unauthorised third parties” lifted names, email addresses, telephone numbers, dates of birth, hashed passwords and in some cases encrypted or unencrypted security questions and answers from the hacked email accounts

Accounts in the specialist and general media mention the use of “forged cookies” which were used to login and acquire this information belonging to millions of accounts, allowing them to bypass the users “real” password.

Cookies are basically small pieces of text that are sent to the Web client browser by a server. Each time the server is accessed via the browser, the information in the cookie is used to perform a specific function such as authentication, tracking, as well as maintaining specific information about the user such as their site preference. The point of many cookies is to improve the user experience by relieving the user of typing in the same information every time they visit a site or land on a particular web page.  Nearly everyone has cookies in their browser – if you have ever visited a site and you user id and password have been automatically populated – that’s a cookie at work.

This article was written by Steve Dance who is the managing partner of RiskCentric

RiskCentric provide automated management systems, education and awareness management solutions for business continuity, cyber security, regulatory and standards compliance


But let’s hold on for a moment: how do you forge a cookie? There are several ways:

  1. You can “reverse engineer” them by brute force. If you can get someone to visit your website and then have some code to find “interesting” cookies that might contain user ids and passwords,  you could then start a “cookie cracking” process to make some sense of them and maybe compromise the users logins.
  2. You can steal them: Here, the attacker posts an auction that includes a link to what is advertised to be additional pictures or information about the object in the auction. Instead, when users click on the link, their cookie for the auction Web site is sent to the attacker’s server, where a CGI script logs the information. Now the attacker can look through the list of cookies and pick some of the most recent cookies to use to try to log in to the auction site and spoof the user.

These might be an option if you were targeting one or more specific individuals – but for millions?  and why would you just end up with the details of accounts at one internet service provider.

Another option would be to target an organisation that you know has millions of users and then “hijack” their means of generating their cookies. Do that and once armed with a user id (aka email address) and you have the capability to compromise millions of accounts.  The word is out there that this was the technique used by the hackers – they managed to find and copy the code used by Yahoo to generate cookies and “fool” the Yahoo systems into believing that bona fide users were accessing their accounts.  This would explain the vast number of successfully hacked accounts.

Yahoo have stated that they have dealt with this issue and that it is no longer possible to create forged cookies for their services.  However, Jeremiah Grossman, chief of security at SentinelOne, told NBC News that “usually this type of forged cookie hack is extremely difficult,” and it would “only be possible after a very deep hack” into a website. The question still remains – how the attackers got so deep into Yahoo’s systems to access this code so there’s still plenty of answers required on this one.