Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Medireview Approach To Stopping E-Mail Attacks

Posted by timothy on from the can-neither-confirm-nor-deny dept.

dcsmith writes: "This article at the Need To Know web site reports that the free(as in beer) e-mail arm of Yahoo has been replacing certain words in messages received by yahoo.com e-mail accounts. In an apparent attempt to forestall cross-site scripting attacks, 'mocha' becomes 'espresso' and 'free expression' becomes 'free statement'... My personal favorite - since medieval contains the text "eval", it is altered to 'medireview' ... Check Google for the number of web sites containing medireview." Kwelstr points to this story at New Scientist as well.

18 of 260 comments (clear)

  1. My words not thiers by wastedbrains · · Score: 3, Interesting

    I think that Yahoo shouldn't be changing any words in e-mails unless the users specifically choose to turn that "feature on". I mean if i send anyone a e-mail i expect it to arrive as i sent it. What is the point of a global mail that picts what you can and can't write about.

    --
    Dan Mayer: my blog, essays, art, etc
  2. Enh? by gregbaker · · Score: 5, Interesting
    Forgive me if I'm being dense, but how does replacing the word "mocha" prevent cross-site scripting problems? Is mocha() a function in some language with semantics "format the hard drive"?

    Even if there's some great effect, wouldn't it be easy to replace the word only if it appeared in a script? Or does IE extend it's baffling type guessing to parts of documents as well?

    1. Re:Enh? by ZxCv · · Score: 4, Interesting

      ...wouldn't it be easy to replace the word only if it appeared in a script?

      Having developed a filter for my last employer's web-based email system that does exactly that, the answer to that question is no. If every person and everything that produced HTML were to output strictly formatted HTML with little or no variation, then yes, it would be simple. The real problem lies in writing code that will catch every occurrence of your problem, whether its embedded in a URL, inside of a script block, or just referenced as a hyperlink. This obviously isn't to say it hasn't been done, and done successfully, its just to say that, in practice, its no simple task.

      --

      Perl - $Just @when->$you ${thought} s/yn/tax/ &couldn\'t %get $worse;
  3. Reason for changes... by joebp · · Score: 5, Interesting
    eval => review

    Eval is a commonly used javascript command (duh).

    mocha => espresso

    An interesting one. Mocha is the old name for what became Javascript.

    expression => statement

    Obvious

    javascript => java-script

    Breaks most javascript embedded in HTML email.

    jscript => j-script

    As above.

    vbscript => vb-script

    Breaks most vbscript embedded in HTML email.

    livescript => live-script

    Another old name for Javascript.

    However, this seems the most retarded possible way of cutting out scripts in HTML emails.

    Better, would be a regexp something like .*? and targetted removal of a few other tags.

    1. Re:Reason for changes... by gusnz · · Score: 3, Interesting

      Actually, "expression" is not so obvious.

      IE4+ allow you to embed JavaScript in CSS statements using the "expression" parameter to evaluate it, and return a value to a CSS class. It's obscure, but the syntax is:

      <span style="margin-top: expression(JavaScript code here)">

      (Hopefully this doesn't get munged by Slashdot's own filtering code). So it's a potentially serious security breach for anyone considering parsing HTML documents and allowing STYLE="" attributes to persist (most mail clients do), especially because it is not well known amongst most coders. Further info is available from MSDN for anyone interested. Seriously, filtering out scripts is a good idea -- anyone else remember when the trolls here managed to insert onMouseOver code into paragraph tags using a Cross-Site Scripting attack, resulting in many goat-themed redirects?

      Anyway, a while ago I used Yahoo Mail as my main account and sent quite a few JavaScripts back and forward related to my website, and noticed "onmouseover" was changed to "onfilterchange" and similar replacements in the body of the mail. This was about 6 months back at least, so it's nothing new. Personally, I think they could probably come up with better filtering methods, but then again stealing a Yahoo! account's details using JS could be a lot more dangerous (finance sections etc) than your average Slashdot trollery -- so perhaps the extra caution is warranted.

      Perhaps the original JavaScript designers should have included a META tag to disable all scripting in the current document, so you could include that in all your static CGI documents and not have to worry about the details. It would certainly improve the security of many sites if it was adopted by most browsers even now.

      --
      <!-- DHTML / JavaScript menu, popup tooltip, Ajax scripts -->
  4. Re:Low Brow Solution by nrmrvrk · · Score: 2, Interesting

    I believe the word you're looking for is "Kludge". This definitely applies. Replace all the words you want but it's the wrong path to take. It's like filtering all of your EMail for certain words and then just adding onto the list of words/phrases you look for. Doing this without running something that either checks for valid domains or looks at a blacklist is not a good solution. Let's hope Yahoo! does more than just replace "Mocha" with "latte" or "Cafe Au Lait". I wonder if they can somehow translate to h4x0r language maybe using Google.

    Don't forget to change:
    Mocha
    M0ch4
    ^^0[h4

    etc...

    absurd

    --
    Keine eier
  5. Re:Probably already fixed by edrugtrader · · Score: 3, Interesting

    seems like the regex is flawed to me...

    would evaluation become reviewuation... probably not. i think they need a special case when there isn't a whitespace character in the front of eval.

    hotmail has this problem too, but they just try to stop all of the ways a script could start... the problem though: IE is so fux0ered up that you can sometimes create iframes in malformed tags, and then just run the script in the iframe.

    yahoo must have the same problems.

    --
    MARIJUANA, SHROOMS, X: ONLINE?! - E
  6. uuencoded files? by Anonymous Coward · · Score: 1, Interesting

    Don't these strings each have a non-zero probability of appearing in a uuencoded file?

  7. Other amusing mangled words floating around by nd · · Score: 5, Interesting

    The use of these words have also been catching on due to this behavior:

    "retrireview" (retrieval): 333 matches at google.
    "prreviewent" (prevalent): 41 matches at google.

    I'm still confused as to how this has affected so many web sites out there. Are people simply seeing these words in e-mail and then use them on their own thinking it's proper? Or are many webmasters cut and pasting their content from HTML e-mails or something?

    1. Re:Other amusing mangled words floating around by suwain_2 · · Score: 4, Interesting
      I believe you meant "Lorem Ipsum"

      A search for "Lorm Ipsum" returns 6 results, but suggests "Lorem Ipsum" instead. That brings up "about" 38,100 results.

      As I curiously searched for the meaning on this phrase, I stumbled across this explanation here. Essentially, it's an adaptation of some classic quote, but, it seems, no longer really makes any sense at all.

      --
      ________________________________________________
      suwain_2 :: quality slashdot p
    2. Re:Other amusing mangled words floating around by awful · · Score: 2, Interesting

      Yes, I think that is exactly what is happening. It seems like medireview enthusiasts are suffering a case of Emperor's New Clothes syndrome - no-one's brave enough to say "hang on - why are we using this stupid word? And where did it come from anyway?"

    3. Re:Other amusing mangled words floating around by Speare · · Score: 3, Interesting
      If you're interested in the text which includes "Lorem Ipsum," or Lipsum, you may want to check out this site: http://www.lipsum.com/

      Definitely far more than the average person needs to know about it, but way cool if you're into printing trivia.

      --
      [ .sig file not found ]
  8. prehaps it another problem. by infonography · · Score: 2, Interesting

    I find it's often a error between the keyboard and the chair. I would surmise that someone has a Spell Checker set to 'Don't ask, Don't tell' Perhaps we are attributing a program glitch in the sender's client to Evil Intentions. Gee, like that's the first time its happened here.

    --
    Sorry about the writing. Robot fingers, you know? Cliff Steele in DOOM PATROL #23
  9. Re:Probably already fixed by Dante333 · · Score: 2, Interesting

    I just tried it. I sent the list from NTK to my Yahoo account in HTML format and what I sent was NOT what I got.

    What I sent:

    eval => review
    mocha => espresso
    expression => statement
    javascript => java-script
    jscript => j-script
    vbscript => vb-script
    livescript => live-script

    And what I got

    review => review
    espresso => espresso
    statement => statement
    java-script=> java-script
    j-script => j-script
    vb-script => vb-script
    live-script => live-script

    This is not cool. Whats next? *'s when I tell someone to goe F*** themseleves?

  10. Re:Can someone please explain... by Anonymous Coward · · Score: 1, Interesting

    What or tag?

    <img src="hello.jpg" onmouseover="dosomething();">

  11. It's not just Yahoo by Jonathunder · · Score: 3, Interesting

    This strange neologism "midireview" has crept into many serious, even scholarly websites.

    "It was the great Barbara Tuchman who pointed out the capital difficulties of writing about the Middle Ages: that medireview chronology is very hard to pin down, that contradictory facts are perpetually turning up in the sources ..." (book review).

    "The medireview/Renaissance theme must be adhered to at all times to ensure the success of our event." (Renaissance fair rules

    "Lectures on the Crusades and medireview society." (college course sylabus

    It makes one long for the Dark Ages.

  12. Re:Low Brow Solution by Jerf · · Score: 4, Interesting
    I get 85:
    antimedi eval, cheval, chevalier, chevaline, coeval, coevality, coevally, crevalle, devall, devaloka, devalorize, devaluate, devaluation, devalue, equaeval, evaluable, evaluate, evaluation, evaluative, evalue, forevalue, grandeval, kevalin, longeval, Masdevallia, mediaevalize, mediaevally, Medieval, medieval, medievalism, medievalist, medievalistic, medievalize, medievally, neomedievalism, nonprevalence, nonprevalent, nonrevaluation, omniprevalence, omniprevalent, Perceval, premedieval, premedievalism, prevalence, prevalency, prevalent, prevalently, prevalentness, prevalescence, prevalescent, prevalid, prevalidity, prevalidly, prevaluation, prevalue, primeval, primevalism, primevally, pseudomedieval, quinquevalence, quinquevalency, quinquevalent, quinquevalve, quinquevalvous, quinquevalvular, reprieval, retrieval, revalenta, revalescence, revalescent, revalidate, revalidation, revalorization, revalorize, revaluate, revaluation, revalue, rounceval, shrieval, shrievalty, trevally, undershrievalty, unevaluated, unmediaeval, unprevalent
    Ain't UNIX fun?
  13. MediReview is a trademark! by cgleba · · Score: 4, Interesting

    From http://www.multum.com/SubscribeRx.htm

    "MediReview: is our comprehensive, patient-specific drug summary that includes dosing recommendations, drug interaction and allergy alerts, side effects, and pregnancy and lactation warnings. Providers and patients can use MediReview to tailor a patient's medications to their specific medical history--and proactively reduce ADEs."

    This is so amusing!