Yahoo! has said that it has fixed the vulnerability that led to around 400,000 user email addresses and passwords being compromised.
In a statement, where it ‘sincerely apologised to all affected users', Yahoo! said it had taken swift action and had fixed the vulnerability, deployed additional security measures for affected Yahoo! users, enhanced its underlying security controls and was in the process of notifying affected users.
“In addition, we will continue to take significant measures to protect our users and their data. If you joined Associated Content prior to May 2010 using your Yahoo! email address, please log in to your Yahoo! account where you may be prompted to answer a series of authentication questions to change and validate your credentials,” it said.
As revealed by SC Magazine last week, Yahoo! confirmed that up to 400,000 of its Voices account user names and passwords had been stolen and published online. The credentials were reportedly stored in clear text and were taken from the Yahoo.com subdomain dbb1.ac.bf1.yahoo.com.
Later, research by Imperva found that the breach of the Voices application was enabled by a union-based SQL injection vulnerability in the application, the basic form of SQL injection and a well-known attack.
Rob Rachwald, director of security strategy at Imperva, said: “The Yahoo! Voices breach demonstrates an inherent problem with the security development lifecycle (SDLC) as a sole solution for web app security. Even in the case that you have a very good SDLC program, when you acquire some code that was developed outside of your organisation, you need to quarantine it behind a web application firewall. This is true not only for acquisition, but also for the more common use of using some third party applications and modules.”
Yahoo! said that an older file was compromised and that information was provided by writers who had joined Associated Content prior to May 2010, when it was acquired by Yahoo! This has since been rebranded to be the Yahoo! Contributor Network. “This compromised file was a standalone file that was not used to grant access to Yahoo! systems and services,” it said.