Yahoo's valuation dropped from $4.8 billion to $350 million, 32 million accounts leaked due to "cookie forgery"

[51CTO.com original article] Yahoo's latest news shows that in the past two years, intruders have carried out "" attacks, resulting in the leakage of 32 million accounts. The information that may have been stolen from users includes names, email addresses, hashed passwords, phone numbers, birthdays, and some encrypted or unencrypted security questions and answers. . It should be noted that this leakage incident is independent and different from the two large-scale data leaks that broke out in the past few months (500 million accounts were leaked in September 2016, and 1 billion accounts were leaked in December).

To make matters worse, Yahoo's series of security incidents have severely damaged Yahoo's credibility with users. Just last month, Yahoo was acquired by Verizon Communications at an ultra-low price of US$350 million, down from an initial valuation of US$4.8 billion.

[[184681]]

Hackers from national backgrounds?

Yahoo said in a regulatory filing on Wednesday that the cookie forgery incident was related to "hackers with a national background" and that the attackers behind the theft of 500 million Yahoo accounts in 2014 were probably the same group of people.

Yahoo believes that an unauthorized third party accessed the company's proprietary code to learn how to forge the appropriate cookies. External forensics experts have determined that nearly 32 million accounts were attacked by cookie forgery in 2015 and 2016. Some of these intrusions are related to state-sponsored attackers associated with the 2014 security incident.

What is a cookie forgery attack?

Through cookie forgery attacks, attackers can access the victim's account without having to enter the password. Using forged cookies, the intruder does not need to steal the password, but only needs to forge a web browser token, i.e., a cookie, to trick the browser into believing that the Yahoo user is logged in.

How do cookies prevent forgery?

In order to save server-side resources, the user login information is generally saved on the client side. At this time, Cookies will be used. However, everyone knows that Cookies can be forged. How to prevent them from being forged?

In fact, it is also very simple. You can add a userkey cookie, the value of which is userId or userName plus a fixed string on the server, and then encrypt it with MD5, MD5(userId+"mysite") or MD5(userName+"mysite"). When the server determines the authority, it first determines whether the userkey is correct. If it is correct, it will perform other operations.

Doing so can largely eliminate the website security issues caused by Cookie forgery. Of course, if users feel that it is not safe enough and think that MD5 can be cracked, they can use multiple encryption methods, such as: sha, base64 and MD5 mixed use. It is difficult for hackers to calculate the userkey without knowing the user encryption algorithm and fixed string.

[51CTO original article, please indicate the original author and source as 51CTO.com when reprinting on partner sites]

【Editor's recommendation】

1. Data center basics: cable management and wiring in data centers
2. Software Defined Data Center (SDDC) security issues are in the spotlight
3. Trend analysis: How to make 5G technology more down-to-earth from MWC
4. Where is the limit of data center network bandwidth?