A Medireview Approach To Stopping E-Mail Attacks

dcsmith writes: "This article at the Need To Know web site reports that the free(as in beer) e-mail arm of Yahoo has been replacing certain words in messages received by yahoo.com e-mail accounts. In an apparent attempt to forestall cross-site scripting attacks, 'mocha' becomes 'espresso' and 'free expression' becomes 'free statement'... My personal favorite - since medieval contains the text "eval", it is altered to 'medireview' ... Check Google for the number of web sites containing medireview." Kwelstr points to this story at New Scientist as well.

HTML E-mail Only

[akiy]

What the original poster of this article failed to mention was that this affects HTML-encoded mail only. Plain vanilla ASCII e-mail is not affected.

Re:Can someone please explain...

[kowalski1971]

if the email contained embedded javascript, replacing key parts of the javascript syntax would render it useless. javascript like any other (programming) language relies on the syntax of the code being precise... in the English language 'eval' and 'review' have similar meanings but in javascript 'review' means nothing.

Re:Verified?

It happens only if the E-Mail is MIMEd as text/html. If it has no MIME type, it dosen't get fiddled with.

While I would commend Yahoo! for at least trying to protect their users, it would seem like doing this without some kind of notice or disclaimer kinda sucks ass.

Verified

[jhunsake]

Source Message:
<html>
<body>
m o c h a: mocha <mocha>
free e x p r e s s i o n: free expression <free expression>
m e d i e v a l : medieval <medieval>
</body>
</html>

Result:
m o c h a : espresso, free e x p r e s s i o n : free statement m e d i e v a l : medireview

Re:Low Brow Solution

[tps12]

The four letter combination eval pops up in thousands of words (my guess).

Guess again:

$ grep -c eval /usr/share/dict/words
22

Probably already fixed

[Eric+Seppanen]

Various politech readers tested yahoo mail for the problem and it appears that this problem is already fixed. So don't everybody go rushing off and start mailing yourself- you probably won't find anything.

Oh, and since NTK is slashdotted already, you might want to read the original politech message to see what we're talking about.

Re:Probably already fixed

[realdpk]

Sorry, Politechbot is wrong - it is still happening, I just tried it a few seconds ago.

Text of NTK now article

[kowalski1971]

Appears to have been /.'ed, here's the relevant bit:

Nice to see, in the midst of all these scandals, Yahoo turning a healthy profit. But as other companies fiddle the figures, Yahoo's been busy instead with fiddling its own users' private correspondence. In a fantastically clumsy attempt to prevent cross-site scripting attacks, the free e-mail wing of the sprawling giant has long been replacing complete English words in the text of HTML mail sent to its users. Mention "mocha" in an HTML mail to a friend with a @yahoo.com account, and your choice in coffee will be silently switched to "espresso". Talk about "free expression", and your recipient will think you said "free statement". Here's the full list of swaperoos:
http://www.ntk.net/2002/07/12/yahoo.txt
- try not to mail it to your friends

This fiddling has been going on now for over a year year (the ever vigilant RISKS digest noted it back in March 2001). But because of Yahoo's underhand methods, very few people have spotted the turnabout - certainly far fewer than if Yahoo had done the sensible thing and, say, "**"'ed out the vowels in the word, or, God forbid, written a smarter parser. But the sneakier you are, the wider the damage spreads. The word "medieval" (since it contains the javascript command "eval") is converted in Yahoo mail to "medireview". Google now shows over 640 sites (and 1,150 separate instances) of the word "medireview" being used as a synonym for medieval. University papers, bibliographies and book reviews, Indian newspaper columnists, and endless enthusiast sites drop it unseen into texts. People have begun to ask where it originally came from, and does it have a subtler meaning beyond "medieval"? Is Yahoo ever going to fix its filters? Or is it time we pushed to get the first regexp-obfuscated word into the Oxford English Dictionary? http://catless.ncl.ac.uk/Risks/21.34.html - does anyone still at Yahoo even know how to turn it off?
http://www.google.com/search?q=medireview
- NTK now entirely filled with google links

Verified

Tried it on my yahoo account - from my work account I sent, html formatted,

"last night we played in a medieval setting while drinking mocha and talking about free expression"

and it arrived

"last night we played in a medireview setting while drinking espresso and talking about free statement"

sigh

Re:Low Brow Solution

Does that include varients ( evaluation, evaluations, evaluating etc.).
I get 304 from my English wordlist

Another reason to PGP sign your mail..

[molo]

This would not be as much of an issue if everyone used PGP signatures on email. It will tell you if the message has been modified in transit.

More info in the PGP faq

Also, for an excellent GPLed implementation of OpenPGP, use GnuPG.

'News'? Old as the hills mate - April 2001

[fatphil]

_Originally_ from comp.risks 21.27 in 2001
(google for it - I can't be bothered to translate all the lts and gts by hand, so the followig will be munged a bit, this is the explisit mention of medireview from comp.risks 21.34)

Date: Mon, 2 Apr 2001 22:00:13 -0400
From: Kirrily Skud Robert
Subject: More on Yahoo mail's anti-virus attachment translation Further to "Yahoo! Mail translates attachments" in RISKS-21.27, I saw
the following e-mail on a mailing list which discusses medieval cookery: From:
Subject: (OT) "Medireview" ???

Does anyone know why certain Web sites and mail servers change the word
"medieval" to "medireview" without any warning? Have I missed something? ...

So the 'original' story is only a few days less stale than the NTK one.

Early 2001, come one, get a grip. News should be _new_.

FatPhil

I just verified it.

[rc5-ray]

I just sent the following words through my yahoo account (as HTML mail).

"eval mocha expression javascript jscript vbscript livescript evaluate retrieval link script object embed body iframe layer applet meta form"

This is what arrived in my inbox.

"review espresso statement java-scriptj-script vb-script live-script evaluate retrireview link script object embed body iframe layer applet meta form "

I paid the $30 to get POP3 access for a year, so it isn't just the free(beer) accounts.

It's curious that only some of the words were changed, but not all the ones listed in the article.

Changes revert back upon forwarding

[1729]

I sent an HTML email to my yahoo account and the words were changed as described. However, when I forwarded the changed email back to my work address, the changes disappeared and I had the original email back, "eval" and all.

Re:Can someone please explain...

[roybadami]

Sorry, I should have said remove the elements, not remove the tags. Though, as has now been pointed out to me, this in itself is not enough, certain otherwise safe elements have attributes that are problematic.

"mocha" explained

I'll explain the "mocha" thing. Yes, the parent post is right: it's an old name for JavaScript.

It's been discovered recently that in Netscape it's also an undocumented alias for the "javascript:" URL protocol, that is the pseudo-protocol that evaluates script text

This created a new kind of problems with web forums and the like. This kind of web apps, for example, filters out "javascript:" URLs for images embedded in posts, because they could be used to perform Cross-Site Scripting attacks (e.g. steal the user's cookies). "mocha:" is a new possible backdoor to inject code in these scenarios

Re: OT: I just verified it.

[orthogonal]

I paid the $30 to get POP3 access [from Yahoo, I presume] for a year, so it isn't just the free(beer) accounts.

I paid $35 to get my-domain-name.tld hosted by Yahoo! This included: five addresses @mydomain.tld, Yahoo! advertising on every outgoing mail, and Geocities web space with ads and whatever absurd bandwidth limit a free Geocities site has. Then Yahoo! told me I'd have to pay $30 to continue having POP3 access.

So I transferred my domain to hostica.com, and for $25 bucks got: another year of registration, as many email addresses as I want (albeit forwarded to one POP3 account), 5MB of space, and 10GB/month of bandwidth, with the option to add services from an a la carte pricing menu. And did I mention? No ads!

(I have no financial interest in hostica, I get no referral fee, no consideration of any sort for this post. This ain't no ad, and it's not even that I don't think you could do as well somewhere else. It's more than you can do a lot better than Yahoo, for not much money. It's just a matter of doing the math -- $65/annum for less, or $25/annum for much more -- and preferring better service.)

The message is not changed, just the view of it

[slyfox]

When viewing an HTML mail in Yahoo, it does the translation before it displays the mail for you. However, if you 'export' or download the message, it still looks fine. Thus, it looks as if the messages are not being changed when sent or received, they are only modified when being displayed through Yahoo's HTML webmail. Granted, based on the google searches, it is still causing lots of problems for users.