Yahoo fallout: Minted authentication cookies raise concerns

say they could be big trouble for user data.

According to the Department of Justice indictment, once the alleged Yahoo hackers had gained access to Yahoo systems, they were able to "mint" authentication cookies and access user accounts without authorization.

The DOJ claimed one of the suspects "stole a copy of at least a portion of Yahoo's User Database, a Yahoo trade secret that contained, among other data, subscriber information including users' names, recovery email accounts, phone numbers and certain information required to manually create, or 'mint,' account authentication web browser cookies for more than 500 million Yahoo accounts."

Yahoo had previously disclosed in an SEC filing that the perpetrators of the 2014 data breach had the ability to create "cookies that could have enabled such intruder to bypass the need for a password to access certain users' accounts or account information." At the time, it was assumed this referred to forged cookies, but it now appears to be a different attack and one that is far more dangerous, according to Paul Calatayud, CTO at FireMon.

"Minting a cookie is the be-all end-all. It's essentially like saying you own the mint where money is printed vs. asking if this is a forgery," Calatayud told SearchSecurity. "Cookie forgery is when an attacker replicates or mimics the cookie; minting is when the attacker has all the attributes used by the server to create a cookie for actually use by customers. It's as if the attackers had the passwords for all Yahoo accounts."

Jeremiah Grossman, chief of security strategy at SentinelOne, based in Palo Alto, Calif., and founder of WhiteHat Security, described a forged cookie as one made by exploiting "a security flaw in the authentication system to create valid session cookies using home grown tools," while a minted authentication cookie would be created using "Yahoo's own internal tools."

Grossman said there can be confusion because "'minting' a cookie is a descriptive term that is not used industry wide," but the act could give an attacker deeper access than a forged cookie could.

"If the intruders could 'mint' valid session cookies, they could easily jump into the accounts of any Yahoo user, and potentially employee accounts, and pilfer whatever data existed," Grossman told SearchSecurity. "By leveraging access to their victim's email inbox, the intruders could also conceivably perform password resets for any other systems where their Yahoo email addresses served as the recovery channel, allowing the hackers to access user data from a wide array of platforms."

John Marshall, vice president of technical services at STEALTHbits Technologies, told SearchSecurity via email that minting authentication cookies could be seen as a "consumer variant of an Active Directory theft from within an enterprise where it's the user password hash that is 'minted'."

"Same principle, different implementation," Marshall wrote. "Whilst the risk from Active Directory theft is higher (single sign-on to multiple resources) the security principles are the same -- only by understanding where credentials are stored, who has access to them and what they give you access to can you start to quantify what risks you need to address."

Gerrit Lansing, chief architect for CyberArk, said another advantage of a minted authentication cookie over a forged cookie is that it could even be possible to bypass two-factor authentication if the "attackers compromised the user database containing the information necessary to follow the algorithm used by Yahoo to secure their authentication cookies."

In this case, "the attacker can authenticate as any user whose information is contained within the user database, which is ultimately catastrophic for the application's security," Lansing told SearchSecurity. "Furthermore, as an authentication cookie is the result of a successful authentication process, the attacker is also likely able to bypass any two-factor authentication required on the account."

Lansing continued to say that "hardening against this kind of attack goes beyond good application security practices and requires that enterprises take seriously, and harden against, the compromise of their internal infrastructure. For example, it is essential that privileged access to the user database is isolated, controlled, and monitored, and that credentials used by the database administrators or other application components are frequently changed and protected from unauthorized exposure."

Calatayud said as long as enterprises are using private servers for email and not those from Google or Yahoo, "most enterprises would be safe from these attacks."

"This access would give the attackers full access to Yahoo email accounts. They could read and send emails as if they were the owners of the accounts. Most likely reading emails vs. sending, which would flag users since they would not recognize the emails being sent to their accounts," Calatayud said. "This would only be dangerous if the affected customer fully trusted Yahoo for emails and was using it for critical communications -- something we don't think is an issue until one looks at other similar issues such as political use of non-government email servers."

Other experts noted that the best protection against minted or forged authentication cookies would be stopping attackers at the point of entry.

Grossman said it's important to keep in mind that the original source of compromise was a spear phishing attack, according to the DOJ indictment. 

"In this case, multifactor authentication would have slowed down the intruders, as [should have] next-generation endpoint protection products. Additionally, better checks could have and should have been in place to detect that a breach occurred," Grossman said. "It's one thing to get hacked, but it's quite another for the intruders to run free on the system undetected or for many months or even years at a time. That's when the real damage is done."