They state that the Yahoo! Mail application for Android does not encrypt communications by default, allowing an attacker to hijack sessions and use them to send spam.
According to the researchers, since Yahoo! Mail for Android uses HTTP instead of HTTPS, data packets sent by the app via an open connection, such as public Wi-Fi, can be easily intercepted.
This form of attack is not new, being demonstrated in 2010 with the aid of Firesheep. However, if the experts are right, the method may still be highly effective.
So how does this type of session hijacking work?
First, the attacker sniffs out Yahoo! Mail traffic on insecure Wi-Fi networks. When the victim joins the network and attempts to check his/her email, the attacker intercepts the session.
“The attacker intercepts a particular cookie and can use it to impersonate that user, over whatever networks are available to them, including by tethering to a mobile network. This allows the attacker to send spam emails that appear 100% legitimate, as those indicated in the original reported story,” experts write.
To avoid falling victims to such attacks, Yahoo! Mail for Android customers should ensure that SSL is enabled from the app’s “General Settings” menu.
Furthermore, internauts should be cautious when connecting to public Wi-Fi networks, the use of browser plugins that secure traffic, such as HTTPS Everywhere, being highly recommended.
In their previous post, Lookout researchers revealed that Yahoo was investigating the matter. It’s uncertain at this time if they plan on doing anything about this issue, but if this plausible scenario turns out to be true, they might enable HTTPS by default in future versions.