You will never think that Yahoo will become a bug-ravaged network after the company recently unveiled a massive encryption initiative for its entire suite of services. But it seems all those efforts have been corrupted by a blow-after-blow of software bug, first affecting its photo sharing site Flickr and then another encryption bug that exposed multiple passwords.
The months-old Flickr bug has enabled any user to view the names, email addresses and sent messages to other users that had been invited to join Flickr. The bug mainly hit the invitation resend function in which non-Flickr users could see the entire content of an invitation due to the web address ending with a unique invitation number being left unprotected.
The links to the resend pages were supposed to be displaying a generic photo inviting users and a login or registration page concealing the contents of an invitation. What happened with the Flickr user invitation is that the number could be iterated to disclose not only the content of that invitation but also the personal message and email addresses of the sender and recipient.
The bug opened a whole lot of opportunities for hackers to take advantage of the system vulnerability and steal personal information that could be sold to third party groups for a malicious marketing campaign or phishing scam.
It took two months for Yahoo to fix the bug after a team of security researchers reported the problem to the company. As if that was not enough, another flaw in Yahoo’s encryption system for securing Web communications exposed passwords and other sensitive data to the open.
The vulnerability called Heartbleed allows attackers to access passwords and lure users into opening phony Web sites. The flaw stemmed from an open-source software called OpenSSL, which is used to encrypt the exchange of data through the Web. Heartbleed can disclose sensitive information stored in a server’s memory, including usernames, passwords and credit card numbers. Attacker are also able to imitate servers or break encryption walls using copies of a server’s digital keys.
Those vulnerabilities are quite humiliating blows to Yahoo, which touts its system as widely secured following the implementation of a network-wide encryption system that protects its home page to email service and Messenger. The move is in response to previous disclosures of government spying programs.
The changes mean that traffic flowing between Yahoo servers and users is shielded with full encryption while the email and search services are protected by the default secure HTTPS.