Today we have again bad news for Yahoo users. This afternoon the company has started sending messages to its users warning them that the security of their accounts could have been violated … again. They have not given data or figures, they have just said that behind this new problem could be some old acquaintances.
These are the counterfeit cookies, those responsible according to the largest mega filtration company in history that leaked the data of more than one billion accounts of its users. But what exactly are these types of cookies and why with them an attacker can enter your account without needing to know your password.
Yes, you read correctly, as you see in this snippet of the message that Yahoo has sent its users, from the company say that between 2015 and 2016 believe that they may have been entering our accounts without using passwords. A new scandal with which Yahoo returns to occupy the headlines due to its security problems.
Yahoo’s forged cookies or fake cookies
To talk about fake cookies we first have to explain what cookies are. They are fragments of information that are collected from the pages that we visit and are stored in our browser. This way, when entering a page you can look at them and see, for example, what we have been doing before entering the web.
They are also used by big companies like Google or Facebook to track our browsing habits and to know who we are and what interests us. This is valuable information, since they can then sell it to advertising companies so they can personalize their ads with it.
Cookies are always tied to polemics about privacy, after all, somehow spy on our movements. In fact, companies like Facebook have been involved in polemics for using their abusive cookies to collect data without permissions, and it has also been known that cookies can bypass HTTPS protections to get our data.
But beyond these negative uses, cookies serve above all to make life easier on the Internet. We have personalized advertising to our tastes thanks to them, and they are also responsible, for example, that we do not have to enter our password to identify us every time we visit a website.
And this is the key point in the case of Yahoo. A cracker can create so-called fake cookies, which are small pieces of software that pretend to be legitimate cookies to stay in the cache of our browser and extract our personal data.
In this case, as reported by Yahoo, these counterfeit cookies could have been used to act as cookies that allow us to enter our account without having to enter the password. Once obtained this data, the attackers may have used these cookies to enter themselves into the accounts of others without bothering to hack their passwords.
According to Yahoo, counterfeit cookies could have been responsible for the massive hacking of a billion Yahoo accounts in 2013, which stole names, email addresses, phone numbers, dates of birth, hash passwords and, in some cases, encrypted and unencrypted questions and answers. In fact, these cookies could have been forged from the code itself of the legitimate cookies of the company.
After the scandal broke the company claimed to have eliminated the identification cookies so that it was always necessary to enter passwords when entering Yahoo. But this was in 2016, too late, since we now know that from 2013 and until then they could have continued to be used to access more and more accounts.