Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Medireview Approach To Stopping E-Mail Attacks

Posted by timothy on from the can-neither-confirm-nor-deny dept.

dcsmith writes: "This article at the Need To Know web site reports that the free(as in beer) e-mail arm of Yahoo has been replacing certain words in messages received by yahoo.com e-mail accounts. In an apparent attempt to forestall cross-site scripting attacks, 'mocha' becomes 'espresso' and 'free expression' becomes 'free statement'... My personal favorite - since medieval contains the text "eval", it is altered to 'medireview' ... Check Google for the number of web sites containing medireview." Kwelstr points to this story at New Scientist as well.

12 of 260 comments (clear)

  1. My words not thiers by wastedbrains · · Score: 3, Interesting

    I think that Yahoo shouldn't be changing any words in e-mails unless the users specifically choose to turn that "feature on". I mean if i send anyone a e-mail i expect it to arrive as i sent it. What is the point of a global mail that picts what you can and can't write about.

    --
    Dan Mayer: my blog, essays, art, etc
  2. Enh? by gregbaker · · Score: 5, Interesting
    Forgive me if I'm being dense, but how does replacing the word "mocha" prevent cross-site scripting problems? Is mocha() a function in some language with semantics "format the hard drive"?

    Even if there's some great effect, wouldn't it be easy to replace the word only if it appeared in a script? Or does IE extend it's baffling type guessing to parts of documents as well?

    1. Re:Enh? by ZxCv · · Score: 4, Interesting

      ...wouldn't it be easy to replace the word only if it appeared in a script?

      Having developed a filter for my last employer's web-based email system that does exactly that, the answer to that question is no. If every person and everything that produced HTML were to output strictly formatted HTML with little or no variation, then yes, it would be simple. The real problem lies in writing code that will catch every occurrence of your problem, whether its embedded in a URL, inside of a script block, or just referenced as a hyperlink. This obviously isn't to say it hasn't been done, and done successfully, its just to say that, in practice, its no simple task.

      --

      Perl - $Just @when->$you ${thought} s/yn/tax/ &couldn\'t %get $worse;
  3. Reason for changes... by joebp · · Score: 5, Interesting
    eval => review

    Eval is a commonly used javascript command (duh).

    mocha => espresso

    An interesting one. Mocha is the old name for what became Javascript.

    expression => statement

    Obvious

    javascript => java-script

    Breaks most javascript embedded in HTML email.

    jscript => j-script

    As above.

    vbscript => vb-script

    Breaks most vbscript embedded in HTML email.

    livescript => live-script

    Another old name for Javascript.

    However, this seems the most retarded possible way of cutting out scripts in HTML emails.

    Better, would be a regexp something like .*? and targetted removal of a few other tags.

    1. Re:Reason for changes... by gusnz · · Score: 3, Interesting

      Actually, "expression" is not so obvious.

      IE4+ allow you to embed JavaScript in CSS statements using the "expression" parameter to evaluate it, and return a value to a CSS class. It's obscure, but the syntax is:

      <span style="margin-top: expression(JavaScript code here)">

      (Hopefully this doesn't get munged by Slashdot's own filtering code). So it's a potentially serious security breach for anyone considering parsing HTML documents and allowing STYLE="" attributes to persist (most mail clients do), especially because it is not well known amongst most coders. Further info is available from MSDN for anyone interested. Seriously, filtering out scripts is a good idea -- anyone else remember when the trolls here managed to insert onMouseOver code into paragraph tags using a Cross-Site Scripting attack, resulting in many goat-themed redirects?

      Anyway, a while ago I used Yahoo Mail as my main account and sent quite a few JavaScripts back and forward related to my website, and noticed "onmouseover" was changed to "onfilterchange" and similar replacements in the body of the mail. This was about 6 months back at least, so it's nothing new. Personally, I think they could probably come up with better filtering methods, but then again stealing a Yahoo! account's details using JS could be a lot more dangerous (finance sections etc) than your average Slashdot trollery -- so perhaps the extra caution is warranted.

      Perhaps the original JavaScript designers should have included a META tag to disable all scripting in the current document, so you could include that in all your static CGI documents and not have to worry about the details. It would certainly improve the security of many sites if it was adopted by most browsers even now.

      --
      <!-- DHTML / JavaScript menu, popup tooltip, Ajax scripts -->
  4. Re:Probably already fixed by edrugtrader · · Score: 3, Interesting

    seems like the regex is flawed to me...

    would evaluation become reviewuation... probably not. i think they need a special case when there isn't a whitespace character in the front of eval.

    hotmail has this problem too, but they just try to stop all of the ways a script could start... the problem though: IE is so fux0ered up that you can sometimes create iframes in malformed tags, and then just run the script in the iframe.

    yahoo must have the same problems.

    --
    MARIJUANA, SHROOMS, X: ONLINE?! - E
  5. Other amusing mangled words floating around by nd · · Score: 5, Interesting

    The use of these words have also been catching on due to this behavior:

    "retrireview" (retrieval): 333 matches at google.
    "prreviewent" (prevalent): 41 matches at google.

    I'm still confused as to how this has affected so many web sites out there. Are people simply seeing these words in e-mail and then use them on their own thinking it's proper? Or are many webmasters cut and pasting their content from HTML e-mails or something?

    1. Re:Other amusing mangled words floating around by suwain_2 · · Score: 4, Interesting
      I believe you meant "Lorem Ipsum"

      A search for "Lorm Ipsum" returns 6 results, but suggests "Lorem Ipsum" instead. That brings up "about" 38,100 results.

      As I curiously searched for the meaning on this phrase, I stumbled across this explanation here. Essentially, it's an adaptation of some classic quote, but, it seems, no longer really makes any sense at all.

      --
      ________________________________________________
      suwain_2 :: quality slashdot p
    2. Re:Other amusing mangled words floating around by Speare · · Score: 3, Interesting
      If you're interested in the text which includes "Lorem Ipsum," or Lipsum, you may want to check out this site: http://www.lipsum.com/

      Definitely far more than the average person needs to know about it, but way cool if you're into printing trivia.

      --
      [ .sig file not found ]
  6. It's not just Yahoo by Jonathunder · · Score: 3, Interesting

    This strange neologism "midireview" has crept into many serious, even scholarly websites.

    "It was the great Barbara Tuchman who pointed out the capital difficulties of writing about the Middle Ages: that medireview chronology is very hard to pin down, that contradictory facts are perpetually turning up in the sources ..." (book review).

    "The medireview/Renaissance theme must be adhered to at all times to ensure the success of our event." (Renaissance fair rules

    "Lectures on the Crusades and medireview society." (college course sylabus

    It makes one long for the Dark Ages.

  7. Re:Low Brow Solution by Jerf · · Score: 4, Interesting
    I get 85:
    antimedi eval, cheval, chevalier, chevaline, coeval, coevality, coevally, crevalle, devall, devaloka, devalorize, devaluate, devaluation, devalue, equaeval, evaluable, evaluate, evaluation, evaluative, evalue, forevalue, grandeval, kevalin, longeval, Masdevallia, mediaevalize, mediaevally, Medieval, medieval, medievalism, medievalist, medievalistic, medievalize, medievally, neomedievalism, nonprevalence, nonprevalent, nonrevaluation, omniprevalence, omniprevalent, Perceval, premedieval, premedievalism, prevalence, prevalency, prevalent, prevalently, prevalentness, prevalescence, prevalescent, prevalid, prevalidity, prevalidly, prevaluation, prevalue, primeval, primevalism, primevally, pseudomedieval, quinquevalence, quinquevalency, quinquevalent, quinquevalve, quinquevalvous, quinquevalvular, reprieval, retrieval, revalenta, revalescence, revalescent, revalidate, revalidation, revalorization, revalorize, revaluate, revaluation, revalue, rounceval, shrieval, shrievalty, trevally, undershrievalty, unevaluated, unmediaeval, unprevalent
    Ain't UNIX fun?
  8. MediReview is a trademark! by cgleba · · Score: 4, Interesting

    From http://www.multum.com/SubscribeRx.htm

    "MediReview: is our comprehensive, patient-specific drug summary that includes dosing recommendations, drug interaction and allergy alerts, side effects, and pregnancy and lactation warnings. Providers and patients can use MediReview to tailor a patient's medications to their specific medical history--and proactively reduce ADEs."

    This is so amusing!