A Medireview Approach To Stopping E-Mail Attacks

dcsmith writes: "This article at the Need To Know web site reports that the free(as in beer) e-mail arm of Yahoo has been replacing certain words in messages received by yahoo.com e-mail accounts. In an apparent attempt to forestall cross-site scripting attacks, 'mocha' becomes 'espresso' and 'free expression' becomes 'free statement'... My personal favorite - since medieval contains the text "eval", it is altered to 'medireview' ... Check Google for the number of web sites containing medireview." Kwelstr points to this story at New Scientist as well.

Wow

[Nept]

I can't believe it...a slashdot editor actually spelled "medieval" correctly.

Enh?

[gregbaker]

Forgive me if I'm being dense, but how does replacing the word "mocha" prevent cross-site scripting problems? Is mocha() a function in some language with semantics "format the hard drive"?

Even if there's some great effect, wouldn't it be easy to replace the word only if it appeared in a script? Or does IE extend it's baffling type guessing to parts of documents as well?

HTML E-mail Only

[akiy]

What the original poster of this article failed to mention was that this affects HTML-encoded mail only. Plain vanilla ASCII e-mail is not affected.

Reason for changes...

[joebp]

eval => review

Eval is a commonly used javascript command (duh).

mocha => espresso

An interesting one. Mocha is the old name for what became Javascript.

expression => statement

Obvious

javascript => java-script

Breaks most javascript embedded in HTML email.

jscript => j-script

As above.

vbscript => vb-script

Breaks most vbscript embedded in HTML email.

livescript => live-script

Another old name for Javascript.

However, this seems the most retarded possible way of cutting out scripts in HTML emails.

Better, would be a regexp something like .*? and targetted removal of a few other tags.

Yahoo response

[naoursla]

When questioned about the filter, Yahoo claimed the filter was "double plus good".

Other amusing mangled words floating around

[nd]

The use of these words have also been catching on due to this behavior:

"retrireview" (retrieval): 333 matches at google.
"prreviewent" (prevalent): 41 matches at google.

I'm still confused as to how this has affected so many web sites out there. Are people simply seeing these words in e-mail and then use them on their own thinking it's proper? Or are many webmasters cut and pasting their content from HTML e-mails or something?

Another reason to PGP sign your mail..

[molo]

This would not be as much of an issue if everyone used PGP signatures on email. It will tell you if the message has been modified in transit.

More info in the PGP faq

Also, for an excellent GPLed implementation of OpenPGP, use GnuPG.

I just verified it.

[rc5-ray]

I just sent the following words through my yahoo account (as HTML mail).

"eval mocha expression javascript jscript vbscript livescript evaluate retrieval link script object embed body iframe layer applet meta form"

This is what arrived in my inbox.

"review espresso statement java-scriptj-script vb-script live-script evaluate retrireview link script object embed body iframe layer applet meta form "

I paid the $30 to get POP3 access for a year, so it isn't just the free(beer) accounts.

It's curious that only some of the words were changed, but not all the ones listed in the article.

The message is not changed, just the view of it

[slyfox]

When viewing an HTML mail in Yahoo, it does the translation before it displays the mail for you. However, if you 'export' or download the message, it still looks fine. Thus, it looks as if the messages are not being changed when sent or received, they are only modified when being displayed through Yahoo's HTML webmail. Granted, based on the google searches, it is still causing lots of problems for users.