Lately I've gotten random emails from friends with Yahoo Mail (or sbcglobal.net, which uses Yahoo Mail) without a subject and some random URL that I'm not going to click on.

At first I thought that someone had gotten ahold of their password, and I recommended that they update passwords.

I just now got an email from someone who changed their password last week.

Is this some sort of cross-site scripting vulnerability? Is there any way to find out from just being the recipient of one of the messages?

Here are a few of the headers from a recent mail:

Received: from [999.999.999.999] by web83806.mail.sp1.yahoo.com via HTTP; Wed, 27 Jun 2012 09:23:30 PDT
X-Mailer: YahooMailWebService/
Message-ID: <[email protected]>
Date: Wed, 27 Jun 2012 09:23:30 -0700 (PDT)

The blacklisted IP in the received header was from a dynamic IP in Norway.

So I'm assuming the machine at that IP was able to get my friend's Yahoo Mail cookie and use it to send email to people in her address book. Does that sound accurate? Even if someone was using an HTTPS connection to Yahoo Mail, a specially crafted email might be able to extract the cookie and deliver it elsewhere via an RPCXML call, right?

So how do you secure a Yahoo Mail account from an attack like this?

UPDATE: I've received emails like this from four different people now. It obviously isn't an isolated incident, and there's surely something that users of Yahoo Mail can do to protect themselves.

  • Watch where you put your password.
    – cutrightjm
    Commented Jun 28, 2012 at 5:32
  • @ekaj: Always, but in this case, I think it's more likely a session hijacking attack. User opens an email that uses a vulnerability in Yahoo Mail to get their session cookie and then send emails without their knowledge.
    – tomlogic
    Commented Jun 28, 2012 at 5:39
  • I have seen it happening on Hotmail accounts, too. Knowing the password of one hacked account, I am going with the slow-moving brute-force attempts mentioned by ox45tallboy In this case changing the password worked (so far) for that person.
    – user145458
    Commented Jul 11, 2012 at 20:12

3 Answers 3


@tomlogic: I'm wondering if this is coming from the "Always-logged-on" part of Yahoo Toolbar. It wouldn't be difficult to spoof the https connection as coming from a Yahoo server through the scripting of the page, basically requesting the user id in a secure format (although as you pointed out, it could just as easily be the session cookie, since the Yahoo sessions are practically indefinite in length now) in order for the page to know which ad to serve up based on the saved profile.

I have no knowledge that this is actually the case, but this is how I would do it- you have to uncheck a whole lotta boxes when you're setting up Yahoo mail (and several other 'free' apps) in order to keep from installing that freaking toolbar that does absolutely nothing other than provide a Yahoo search box (who uses that anymore?) and a new e-mail notification - but also stores every single website you visit and everything you type into an unencrypted web form.

I've been sending replies to the 5 different people that have sent me one of these "no subject with link to phishing site" e-mails that they should change their password from a different computer or from a smartphone, then run an antivirus as well as an anti-spyware such as MalwareBytes or SpyBot before logging back in to Yahoo on their own computer, and also remove Yahoo Toolbar and associated Yahoo apps. What added value do they provide, anyhow?

  • I'm leaning toward session hijacking, since it seems to happen infrequently. I would think that if someone got ahold of their email address, they'd continue to use it for spamming purposes. That and the fact that I've told people to change their passwords and their accounts still send out this random spam. I guess without getting one of them to volunteer for a Wireshark install and constant data logging, there's no easy way to know for sure. I would think Yahoo would have picked up on this and be tracking down the cause by now.
    – tomlogic
    Commented Jun 29, 2012 at 6:11
  • Yeah, that's what I'm seeing, though - exactly the same thing coming from the same users - a blank subject line with a simple link to a phishing site. Two users who check their e-mail infrequently have sent me several, averaging about one a day, while the others have fixed the problem as soon as they changed their passwords. Commented Jun 29, 2012 at 13:42
  • I'm not saying I'm right here, but it seems that changing your password does solve the problem - which leads me to believe the either the passwords were weak and cracked through slow-moving brute-force attempts over the course of a few weeks (try only a few each hour to prevent lockout, but times 1,000,000+ accounts will yield results quickly) or their computer was tricked into sending their Yahoo logon in an unencrypted format, or ,like you said, it's a session hijack from a site the user is frequenting. Commented Jun 29, 2012 at 13:46

Happened to my yahoo account too. The infection resulted from an email directing to a web link which I inadvertently clicked from my Blackberry. Had to change password, delete the Blackberry connection to Yahoo email and delete my Yahoo contact list just to be on the safe side. Have reported to Yahoo customer support but they only provided standard answers. I had not installed Yahoo toolbar. I strongly suspect the attacker is exploiting some weakness in the Yahoo Accounts infrastructure, possibly related to the Yahoo BIS connector for Blackberry. This does not seem a password cracking attempt, nor a session hijacking.


It's not Cross Site Scripting.

It could be possible that your friend is a victim of Phishing or infected by spyware on his PC. There are many type of spywares in internet SEA that steals users passwords, credit card details, cookies etc important details.

Such type of autobots installs itself in browser as addon or extension and loads from and posts or mails spams.

To be secure Update your browser frequently and use good Spyware (Spybot search and Destroy).

  • Sadly, it's impossible to prove that some service doesn't have any vulnerability. Only thing you can be sure is that you don't know of one yet.
    – gronostaj
    Commented Jul 30, 2013 at 20:24
  • I know that but there are less possibilities of having vulnerability in yahoo mail, than having spybot on users system. Commented Jul 30, 2013 at 20:26

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .