[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 24/04/13 00:49, Simon Waters wrote: > On 24/04/13 00:42, Martijn Grooten wrote: >> That would be my guess too. Except that I hadn't used this account for >> over a year (and even back then only a few times). And my PC, the only >> place where I has ever accessed the account from, had been off for a >> week because I was abroad. > Yes, but we know they have compromised millions of account, so if it is > cookie theft they may well have a big backlog to work through. > >> Still, I could have missed something somewhere. But there is bad apple's >> case too. And others. I know of someone's test account, used once to >> email another account, that ended up being compromised. > I don't think in any case we have conclusive evidence that the browser > didn't have a cookie from Yahoo, and wasn't used with other sites. > > Although "bad apple"'s case was highly suggestive of this, it is the > kind of thing which is very hard to categorically rule out, since most > people (understandably) don't clear cookies immediately on leaving a > site (and even then it could be on-site advertising or some such). > We can *definitely* rule out cookies in my case: my Firefox instance has cookie cutter type add-ons so I can control them minutely and like Simon, I also drop and wipe all cookies (I have no whitelist whatsoever) every time I exit Firefox and for me, that's every night. I have servers to do the 24/7 stuff so any workstations/laptops I use during the day are always switched off at bedtime. Further to that, Firefox is configured to keep all it's volatile stuff in a RAM disk which obviously enough can't persist across reboots (this is partly to reduce wear on my SSDs and the security is an added bonus). Anyway, I don't even know why I bothered typing that because I literally *never* use webmail, I don't trust it. My old Yahoo account was accessed precisely twice ever via Firefox: once when I initially created it and secondly when I logged in to reset the password after the first spam happened - apart from that I've only ever connected via Thunderbird, and from this one machine too so definitely no avenue of attack for cookies in my case. I also force plain text only on all my accounts as I hate HTML style email with a vengeance so they can't even have snuck in via an embedded iframe or pixel in a HTML formatted email. I think that probably comes as close to 100% ruling out the cookie angle or even XSS/CSRF/etc in my case as possible. Damn, I would really love to get to the bottom of this somehow. Regards -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq