A Medireview Approach To Stopping E-Mail Attacks

dcsmith writes: "This article at the Need To Know web site reports that the free(as in beer) e-mail arm of Yahoo has been replacing certain words in messages received by yahoo.com e-mail accounts. In an apparent attempt to forestall cross-site scripting attacks, 'mocha' becomes 'espresso' and 'free expression' becomes 'free statement'... My personal favorite - since medieval contains the text "eval", it is altered to 'medireview' ... Check Google for the number of web sites containing medireview." Kwelstr points to this story at New Scientist as well.

My words not thiers

[wastedbrains]

I think that Yahoo shouldn't be changing any words in e-mails unless the users specifically choose to turn that "feature on". I mean if i send anyone a e-mail i expect it to arrive as i sent it. What is the point of a global mail that picts what you can and can't write about.

Wow

[Nept]

I can't believe it...a slashdot editor actually spelled "medieval" correctly.

Enh?

[gregbaker]

Forgive me if I'm being dense, but how does replacing the word "mocha" prevent cross-site scripting problems? Is mocha() a function in some language with semantics "format the hard drive"?

Even if there's some great effect, wouldn't it be easy to replace the word only if it appeared in a script? Or does IE extend it's baffling type guessing to parts of documents as well?

Re:Enh?

[ZxCv]

...wouldn't it be easy to replace the word only if it appeared in a script?

Having developed a filter for my last employer's web-based email system that does exactly that, the answer to that question is no. If every person and everything that produced HTML were to output strictly formatted HTML with little or no variation, then yes, it would be simple. The real problem lies in writing code that will catch every occurrence of your problem, whether its embedded in a URL, inside of a script block, or just referenced as a hyperlink. This obviously isn't to say it hasn't been done, and done successfully, its just to say that, in practice, its no simple task.

Re:Enh?

[wdr1]

Forgive me if I'm being dense, but how does replacing the word "mocha" prevent cross-site scripting problems? Is mocha() a function in some language with semantics "format the hard drive"?

No, nothing like that.

"mocha" is what javascript was called before the big java hype. You'd want to replace "mocha" for the same reason you want to replace "javascript", as many browsers will still treat the two the same for backwards-compatiblity reasons.

-Bill

HTML E-mail Only

[akiy]

What the original poster of this article failed to mention was that this affects HTML-encoded mail only. Plain vanilla ASCII e-mail is not affected.

Yahoo works better...

[zulux]

...than the CmdrTaco speling and gramer filterer that keeps Slashdot free of all 'dose cross syte scripting bugs that plauge windozw lusers. It werks espeshilayy well of page wisening posts the effect Internet Exploder useres as well.

Re:Yahoo works better...

[DotComVictim]

What is wrong with you? You doesn't not even spell "gramer" right. The correct speling was "grahmer", like the crackers you probably doesn't not eat too.

Reason for changes...

[joebp]

eval => review

Eval is a commonly used javascript command (duh).

mocha => espresso

An interesting one. Mocha is the old name for what became Javascript.

expression => statement

Obvious

javascript => java-script

Breaks most javascript embedded in HTML email.

jscript => j-script

As above.

vbscript => vb-script

Breaks most vbscript embedded in HTML email.

livescript => live-script

Another old name for Javascript.

However, this seems the most retarded possible way of cutting out scripts in HTML emails.

Better, would be a regexp something like .*? and targetted removal of a few other tags.

Re:Reason for changes...

[Jerf]

And here I thought you had meant running s/.*//g as a deliberate commentary on the average value of email going to or from Yahoo!....

Re:Reason for changes...

[gusnz]

Actually, "expression" is not so obvious.

IE4+ allow you to embed JavaScript in CSS statements using the "expression" parameter to evaluate it, and return a value to a CSS class. It's obscure, but the syntax is:

<span style="margin-top: expression(JavaScript code here)">

(Hopefully this doesn't get munged by Slashdot's own filtering code). So it's a potentially serious security breach for anyone considering parsing HTML documents and allowing STYLE="" attributes to persist (most mail clients do), especially because it is not well known amongst most coders. Further info is available from MSDN for anyone interested. Seriously, filtering out scripts is a good idea -- anyone else remember when the trolls here managed to insert onMouseOver code into paragraph tags using a Cross-Site Scripting attack, resulting in many goat-themed redirects?

Anyway, a while ago I used Yahoo Mail as my main account and sent quite a few JavaScripts back and forward related to my website, and noticed "onmouseover" was changed to "onfilterchange" and similar replacements in the body of the mail. This was about 6 months back at least, so it's nothing new. Personally, I think they could probably come up with better filtering methods, but then again stealing a Yahoo! account's details using JS could be a lot more dangerous (finance sections etc) than your average Slashdot trollery -- so perhaps the extra caution is warranted.

Perhaps the original JavaScript designers should have included a META tag to disable all scripting in the current document, so you could include that in all your static CGI documents and not have to worry about the details. It would certainly improve the security of many sites if it was adopted by most browsers even now.

Yahoo response

[naoursla]

When questioned about the filter, Yahoo claimed the filter was "double plus good".

Verified

[jhunsake]

Source Message:
<html>
<body>
m o c h a: mocha <mocha>
free e x p r e s s i o n: free expression <free expression>
m e d i e v a l : medieval <medieval>
</body>
</html>

Result:
m o c h a : espresso, free e x p r e s s i o n : free statement m e d i e v a l : medireview

Probably already fixed

[Eric+Seppanen]

Various politech readers tested yahoo mail for the problem and it appears that this problem is already fixed. So don't everybody go rushing off and start mailing yourself- you probably won't find anything.

Oh, and since NTK is slashdotted already, you might want to read the original politech message to see what we're talking about.

Re:Probably already fixed

[edrugtrader]

seems like the regex is flawed to me...

would evaluation become reviewuation... probably not. i think they need a special case when there isn't a whitespace character in the front of eval.

hotmail has this problem too, but they just try to stop all of the ways a script could start... the problem though: IE is so fux0ered up that you can sometimes create iframes in malformed tags, and then just run the script in the iframe.

yahoo must have the same problems.

Re:Probably already fixed

[realdpk]

Sorry, Politechbot is wrong - it is still happening, I just tried it a few seconds ago.

Other amusing mangled words floating around

[nd]

The use of these words have also been catching on due to this behavior:

"retrireview" (retrieval): 333 matches at google.
"prreviewent" (prevalent): 41 matches at google.

I'm still confused as to how this has affected so many web sites out there. Are people simply seeing these words in e-mail and then use them on their own thinking it's proper? Or are many webmasters cut and pasting their content from HTML e-mails or something?

Re:Other amusing mangled words floating around

[suwain_2]

I believe you meant "Lorem Ipsum"

A search for "Lorm Ipsum" returns 6 results, but suggests "Lorem Ipsum" instead. That brings up "about" 38,100 results.

As I curiously searched for the meaning on this phrase, I stumbled across this explanation here. Essentially, it's an adaptation of some classic quote, but, it seems, no longer really makes any sense at all.

Re:Other amusing mangled words floating around

[Speare]

If you're interested in the text which includes "Lorem Ipsum," or Lipsum, you may want to check out this site: http://www.lipsum.com/

Definitely far more than the average person needs to know about it, but way cool if you're into printing trivia.

Arrgh

[sulli]

Why not just give the user the option to STRIP OUT ALL THE FUCKING HTML IN EVERY EMAIL? I for one HATE html email - hate it with a passion - hate the slow loading and the crashing browsers and the cookies/images loaded without my permission. Add that feature and this problem goes away.

It's not just Yahoo

[Jonathunder]

This strange neologism "midireview" has crept into many serious, even scholarly websites.

"It was the great Barbara Tuchman who pointed out the capital difficulties of writing about the Middle Ages: that medireview chronology is very hard to pin down, that contradictory facts are perpetually turning up in the sources ..." (book review).

"The medireview/Renaissance theme must be adhered to at all times to ensure the success of our event." (Renaissance fair rules

"Lectures on the Crusades and medireview society." (college course sylabus

It makes one long for the Dark Ages.

Bah

[SuiteSisterMary]

When they're replacing random (or not so random...) words with either 'smurf' or 'fnord,' THEN it's time to worry.

Another reason to PGP sign your mail..

[molo]

This would not be as much of an issue if everyone used PGP signatures on email. It will tell you if the message has been modified in transit.

More info in the PGP faq

Also, for an excellent GPLed implementation of OpenPGP, use GnuPG.

I just verified it.

[rc5-ray]

I just sent the following words through my yahoo account (as HTML mail).

"eval mocha expression javascript jscript vbscript livescript evaluate retrieval link script object embed body iframe layer applet meta form"

This is what arrived in my inbox.

"review espresso statement java-scriptj-script vb-script live-script evaluate retrireview link script object embed body iframe layer applet meta form "

I paid the $30 to get POP3 access for a year, so it isn't just the free(beer) accounts.

It's curious that only some of the words were changed, but not all the ones listed in the article.

Re:Low Brow Solution

[Jerf]

I get 85:

antimedi eval, cheval, chevalier, chevaline, coeval, coevality, coevally, crevalle, devall, devaloka, devalorize, devaluate, devaluation, devalue, equaeval, evaluable, evaluate, evaluation, evaluative, evalue, forevalue, grandeval, kevalin, longeval, Masdevallia, mediaevalize, mediaevally, Medieval, medieval, medievalism, medievalist, medievalistic, medievalize, medievally, neomedievalism, nonprevalence, nonprevalent, nonrevaluation, omniprevalence, omniprevalent, Perceval, premedieval, premedievalism, prevalence, prevalency, prevalent, prevalently, prevalentness, prevalescence, prevalescent, prevalid, prevalidity, prevalidly, prevaluation, prevalue, primeval, primevalism, primevally, pseudomedieval, quinquevalence, quinquevalency, quinquevalent, quinquevalve, quinquevalvous, quinquevalvular, reprieval, retrieval, revalenta, revalescence, revalescent, revalidate, revalidation, revalorization, revalorize, revaluate, revaluation, revalue, rounceval, shrieval, shrievalty, trevally, undershrievalty, unevaluated, unmediaeval, unprevalent

Ain't UNIX fun?

multi-platform, anywhere

[TheOnlyCoolTim]

telnet mailserver.example.com 110

+OK InterMail POP3 server ready.
user exampleuser
+OK please send PASS command
pass examplepass
+OK exampleuser is welcome here
list
+OK 1 messages
1 719
.
retr 1
+OK 719 octets

I send you this message in order to have your advice.

.
dele 1
+OK
quit
+OK exampleuser InterMail POP3 server signing off.

Tim

The message is not changed, just the view of it

[slyfox]

When viewing an HTML mail in Yahoo, it does the translation before it displays the mail for you. However, if you 'export' or download the message, it still looks fine. Thus, it looks as if the messages are not being changed when sent or received, they are only modified when being displayed through Yahoo's HTML webmail. Granted, based on the google searches, it is still causing lots of problems for users.

MediReview is a trademark!

[cgleba]

From http://www.multum.com/SubscribeRx.htm

"MediReview: is our comprehensive, patient-specific drug summary that includes dosing recommendations, drug interaction and allergy alerts, side effects, and pregnancy and lactation warnings. Providers and patients can use MediReview to tailor a patient's medications to their specific medical history--and proactively reduce ADEs."

This is so amusing!

Re:Low Brow Solution

[PacoTaco]

William F. Buckley produces one every now and then. His vocabulary is scary, and he is an incorrigible show-off.

Personally, I think he's just a blatherskite. ;)

Information corruption

[Jonny+290]

I'm going to laugh when Starbucks sues the shit out of Yahoo when they order 100,000 units of mocha and get shipped 100,000 units of espresso.

Fucking idiotic.