Slashdot Mirror
Yahoo and Hotmail Filter Flaw
gandam writes "Israeli computer security firm GreyMagic Software has detected a serious security flaw in Yahoo's Web e-mail service and Microsoft Corp.'s Hotmail service, which could allow hackers to run malicious scripts on users' computers. I tried sending a mail to my yahoo account and it never reached my mailbox. According to the website, all attempts to contact Yahoo unfortunately failed. Mail was sent to security and secure at yahoo.com and at yahoo-inc.com. No replies were received to date. Works only in IE5, though."
Surely that's gotta be wrong! A security hole in IE???
No freakin' WAY!?
Don't park drunk, accidents cause people.
Myway is also great as a portal or homepage, it's much more customizeable than any other site I've seen, and again, no banners or popups.
You can also read all AP and Reuters stories with no registration, and there's partner links to NY Times and other reg-req'd sites (great for submitting articles to Slashdot).
...almost paniced, then I noticed:
;
only works in IE5 though...
hmm... <mouseGesture>down-right</mouseGesture>
- It is simple to make something complex, and complex to make it simple
Had me worried there for a second.
Still, I've got friends who run IE, and now they'll have incentive to learn the true joys of Mozilla FireFox.
Thanks for the heads-up.
hanzie
********* sig: If you don't like the law, get filthy stinking rich, and buy a better one.
Just have the malicious code make the browser go to my viagra site and force the user to buy 10 cases. That would make me an ULTRA spammer.
Once I do this, I will be able to afford that sould I've been eying on eBay all week.
to use Mozilla, Konqueror, Opera, et al instead of IE.
had me worried for a few seconds too ;)
thank you firefox!
"Solution: GreyMagic started work on this issue with Microsoft on 11-Mar-2004. They have quickly confirmed our findings and were able to produce a fix less than two days later. As a result, Hotmail is no longer vulnerable to this method of exploitation. All attempts to contact Yahoo unfortunately failed. Mail was sent to security and secure at yahoo.com and at yahoo-inc.com, no replies were received to date. "
Imagine how much harder physics would be if electrons had feelings! -Feynman, maybe
Yep. Thank Mozilla for Firefox.
Seriously, folks -- I have said it before and I'll said it again -- do not use Microsoft products when it comes to the Internet.
If you care, even minimally, about security, then Firefox and Thunderbird should be installed by default on your Windows machine instead of Internet Explorer and Outlook.
This was the case in one of the companies I worked for, and they had almost zero virus problems in two years.
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
If they are going to attack my Hotmail Account they are up for a fight! Pr0n and Viagra have a firm hold, and it is going to take a lot to beat them to my Inbox.
- Your stupidity got you into this mess, why can't it get you out? -Will Rogers
hmm... should this have been 'news'? most people (well, at least on here) know of sites like Hushmail which offer much better (and still free) security for web-based email. Hotmail and Yahoo are... well, about as secure as windows :)
I didn't see anything in the article about IE 5. Are all versions vulnerable?
"A great democracy must be progressive or it will soon cease to be a great democracy." --Theodore Roosevelt
more things to fix for the joe six-pack user
"It is a greater offense to steal men's labor, than their clothes"
I love being able to use yahoo with pop3, I like it a lot better than my ISP email.
Also you know what's funny? myway.com is in my hosts file routed to 0.0.0.0. It's blocked from my computer, as a ad/spam domain. I unblocked it, and I can't see any features of myway on their site. It looks like an almost identical clone to yahoo. It goes back in the hosts file.
I think I'll stick with good ol' reliable yahoo. It's only been down once in the past two years.
BTW, I use linux, so I don't need to worry about this silly IE vulnerability. (I don't even use the webclient anyway).
Alt F C
They are obviously diligently searching for the clowns who keep sending me requests from "Yahoo" and "Citibank" to put in my account information, on websites hosted in Russia and Korea.
Tried submitting this a couple of times since yesterday but the submission system seems to have picked up a few bugs of its own where it says "Thanks for the submission" but nothing shows up in the queue. Here are the details...
Yahoo, Hotmail Users Vulnerable to XSS PC Attack
Both Yahoo Web e-mail and Microsoft Hotmail are vulnerable to an Internet Explorer cross-site scripting (XSS) attack that lets malicious users run local code, according to Israel's GreyMagic security consultants (proof of concept). Possible consequences range from theft of login and password to a remote takeover of the compromised machine. Reports indicate that Microsoft has patched the hole but Yahoo has yet to solve the problem. The vulnerability presumably affects Windows PC-based versions of Internet Explorer only. Some people might want to read this developerWorks article on how to prevent cross-site scripting and protect oneself, mentioned last month on Slashdot. More coverage at InternetNews and The Register.
Respect to MS for fixing the problem only 2 days later.
It's not the first and won't be the last IE exploit! Be prepared! Don't buy into the monoculture - use "second tier" software whenever possible. Mozilla Firefox is a fantastic free web browser with many security features and simple toggles. Eprompter is an excellent, simple, and free POP3\Hotmail\webmail client that lets you delete messages server-side before you open\view them.
Most important of all, keep up-to-date with Slashdot and other news services to stay aware of new vulnerabilities!
The reporter has it wrong.
ALL versions of IE *since* 5 contain this feature, which means that if there's a flaw in the filtering mechanism of the web-based email provider, script will run.
Yep, IE5, IE5.5 and IE6.
Sorry, but I'm not willing to get email with a service that supports the use of adware/scumware.
I propose reform at Slashdot right now!
Last time I checked the latest version of IE was 6. I say this my friens, lets not use this as an excuse to attack Microsoft. Instead lets argue and attack about users who need to update. Whos with me? ARE YOU WITH ME? Wooooooo!
[Just Shut Up and Do What I say]
GreyMagic started work on this issue with Microsoft on 11-Mar-2004. They have quickly confirmed our findings and were able to produce a fix less than two days later. As a result, Hotmail is no longer vulnerable to this method of exploitation.
Wow...I'm actually sort of impressed that Microsoft fixed a vulnerabillity in their product that was pointed out to them in email, rather than ignoring it until it blew up in their face. . .
good to see slashdot has recent news, hotmail was fixed 2days after grey reported it to them
Its cool that a security firm discovered a flaw, wow, they told the effected vendors and they fixed it, wow. Now its filtered, wow.
So the flaw existed and, previously, IE5.5 users could have had Bad Things happen to them, however, it was a flaw in the online filtering service. We all new IE sucks and if you are dumb enough to use it you could get compromised by any number of methods. OK, so why is this news again?
The best way to prevent against these sorts of exploits is to block HTML email. To this end I offer a program that I can not vouch for but claims to do this. http://www.emailaddressmanager.com/email_sentinel. html
At the bottom of the article
"GreyMagic started work on this issue with Microsoft on 11-Mar-2004. They have quickly confirmed our findings and were able to produce a fix less than two days later. As a result, Hotmail is no longer vulnerable to this method of exploitation.
All attempts to contact Yahoo unfortunately failed. Mail was sent to security and secure at yahoo.com and at yahoo-inc.com, no replies were received to date."
Now thats weird. Microsoft fixing something before its truely made public!:)
According to the details I've seen on the exploit, it's not just Hotmail and Yahoo that are vulnerable but most webmail interfaces. Has anyone tested this against Horde and SquirrelMail?
A lot of people are saying "big deal, I don't use IE." Neither do I, nor do I use yahoo or hotmail for anything personal. But some of my friends only have a hotmail/yahoo account and use IE either because it's their only choice (at work), or they're too lazy to install, configure and learn to use a new browser.
Now the article says this security flaw allows "Content disclosure of any email in the mailbox." This means that if you have sent anything personal to any mailbox on yahoo or hotmail, this info might be vulnerable, even if you personally don't use IE. The recipient might use IE and get their inbox read by others.
If it lets scripts run on a client, why is this considered a flaw in hotmail/yahoo rather than a flaw in IE? I tried reading the article, but I am not that familiar with HTML and scripting.
Wanna reduce 90% of your virus/exploite problems in Windows without doing squat? Just stop using Outlook and IE (duh!). There are other e-mail and HTTP clients you can select from. But I guess that is too simple of a solution for most folks.
Wow, free encrypted webmail? I posted above about how great Yahoo has been for me, but this is pretty cool. I've always worried about my emails being completely unencrypted, and it seems like a bit of a hassle to set up PGP for emails. I think I'll sign up for this and test it out for a while! Thanks for the tip!
If this flaw works only in IE5, then it is not a flaw in yahoo/hotmail, but just another IE exploit.
Well, like most /. folk, I'm using Firefox on BSD on an SPARC.
If you lets your friends and relatives use Windows and IE, then you are only harming them (and the rest of us who get slammed by their viruses trying to break mutt on my machine).
Take the needle out. Put down the crack pipe.
Really, the web took off because it was platform independent and full of juicy goodness.
"Must us IE" or "best used with IE" means that they should STOP using http to transfer their garbage and only serve on MSN.
Really. The web sucked the business out of Compuserve for a good reason. Open Platforms and Open Standards were the big attraction. Remember?
---
During the myDoom.* fest, I asked our SVP about looking at deploying Linux on the desktop for users who don't truly actually REQUIRE MS and MS tools.
He asked if I "thought Linux was ready for the desktop here."
"Hmmm," said I, "I'm not 100%. But do you think Windows is?"
Slashdot is a news service?
I had but a simple dream, to destroy all humans.
God bless firefox!!! I stopped using IE a looooong time ago... ActiveX controls are the bain of my existance
That Yahoo and Hotmail are pretty much the most used/spammed services out there, and therefore will have their security holes pinponted sooner than lesser-known services. Doesn't mean that the lesser knowns are more secure, just blissfully ignorant. Something to ponder...
------- "A true friend stabs you in the front." -Eliot
The sample exploit works just fine on IE 6 too - from the article, it looks like it should work on IE 5.5 and on.
You say this company is clearly focused on security; well, it should be, after all the trouble Microsoft has been through recently (all those exploits for windows that were, needless to say, pretty major).
Whatever people may say, Microsoft has got a lot of money. Money usually means that you can pay for important things. It is good to see that Microsoft isn't totally slacking and letting things go to rot.
I would expect the same of IBM and Sun.
This really demonstrated to me the power of open source code. It seems to me that the reason this flaw was discovered, and fixed, was because it was an exploit with a scripting language. Which means anyone (like GreyMagic) can examine the code, find an exploit, write up a reproducable case, and provide it back to the software owners.
This isn't a security flaw of any meaning. This is a way to slip past the content filter on Yahoo! and Hotmail. Big fricking deal. Any script you manage to slip by the filters using this script could be found on any web page. There is no system vulnerability involved here. All "injected" scripts are subject to the same sandboxes and vulnerabilities that code you put up on your web page is. Nothing more, nothing less. Yahoo! doesn't need to jump on this because the damn thing is just an inconvenience, not a security threat.
Do they also need fixes?
The real "Libtards" are the Libertarians!
That's actually a pretty good idea, at first glance anyway:
Promote Fire/Moz~ the way gator, or Monkey, or wondertoolbar, whatever that crap is people install. Don't look at from the tech view that most of us here share, look at it from grandmas view, and take a page from the marketers. Don't make them feel foolish for not switching already, either, and check any exasperation. Change is hard for many people.
-cp-
Why is it so hard to understand that when script can run in a web-based email it can do whatever the USER can do and more?
That means your entire mailbox can be read and sent to a remote server.
That means emails can be sent from the mailbox.
That means your address book can be accessed.
Running script in general might be an inconvenience, but in this context, it's a big-ass security vulnerability.
If you know of any other such filtering flaws that aren't patched, feel free to point them out. But I assure you that everything you'll find by Googling had already been patched.
Well, number 224853 shouldn't scare you. It is entirely about Mozilla politics, and doesn't involve software at all.
Number 204506 says, "Actual Results: I can enter maxlength + 1 characters into a input field." That doesn't sound very scary. There is no mention of running code in the extra byte.
Bug 182176 says, "This is not much of a security hole since chrome can read any file anyways and non-trusted content can't use chrome URLs. It's worth fixing in case some future exploit allows untrusted content to use chrome urls, but I'm removing the security flag because there's no exploit here.
Bug 129996 is about an annoyance, at most.
Good old Mozilla. Yes, the parent post is a troll. No security problems are shown in the link.
Remember that Hotmail was down on Friday March 12.
This is the time when Microsoft was working on the fix. Could the two events be related?
Am I wrong, or did MS only change Hotmail? If that's the case, then technically they did not fix the problem - IE is still vulnerable. Go figure. Anyway, it's pretty quick turnaround on their part.
Actually, it's an OS/2 fork with added bugs, vulnerabilities, and security holes.
Don't ask that question: I was modded down, "Offtopic", for asking the exact same question!
The real "Libtards" are the Libertarians!
But since its IE5 or greater, you sum (IE5 = 11%) + (IE6=72%) = 93% of the browser population effected.
I think he was referring to Safari Bookshelf. At least I hope he was. I think it was just a misguided attempt at humor.
Guns don't kill people -- people kill people.
But the guns seem to help a bit. (apologies to Eddie Izzard)
This is a bug in Hotmail and Yahoo's filtering of HTML and scripting code. Normally these sites strip any script code, but this is a new way of injecting arbitary script code into the HTML page Hotmail or Yahoo gives you showing the email you wanted to view.
An attacker could craft an HTML email that, when viewed in your inbox on Yahoo or Hotmail will execute some JavaScript or other script code from within the context of the Hotmail.com or Yahoo.com window. So it could do nasty things like deleting your messages automatically, forwaring your emails to another address, etc.
It does NOT allow your computer to execute native code unless the attack exploits some other browser-specific vulnerability.
Webmail will always be succeptible to these kinds of attacks if it does not carefully filter out HTML using any number of obscure features to insert malicious script in the Hotmail.com output.
Its nice that MS has fixed this already... and annoying that Yahoo hasn't acknowledged it yet... ...but when will MS address this problem at the true source, i.e. by patching the bug in IE that allows this exploit to work? Or are they just trying to make Yahoo look bad?
MS, having the IE and Hotmail source code, knows the exact details of the bug. By fixing it only on the Hotmail side, they've left other competing webmail providers vulnerable, who will have a hard time fixing the bug without access to the IE source code? Just a wild guess...
Number 204506 says, "Actual Results: I can enter maxlength + 1 characters into a input field." That doesn't sound very scary. There is no mention of running code in the extra byte.
Not a security hole? No offense, but I find it possible you've never developed a web application before. It could definitely prove to cause trouble, on a poorly-coded app which fails to test the data input properly. Throw in lousy exception handling, and you may have a hole.
slashdot? Who here uses IE 5.0? Or any version of IE for that matter. Oh yea.. I forgot the cluesers we have to support. damn.
Word.
When I worked for a VLSI team in Boston in the late eighties, our CAD vendor had a support contract which promised one major release a year. But it was almost a year since version 4.0, and their new release wasn't ready. So they just patched their latest release (4.2) with some bug fixes and a few minor features, and shipped it as 5.0. Everyone could see it was basically the same as 4.0 + patches.
When version 5.1 came out a few months later, that was a huge change over 5.0! They replaced their standard menu-for-newbies + hotkeys-for-experts interface with the most hideous UI I've ever had the misfortune of using. It was based on "mouse gestures." You were supposed to "draw" a D with your mouse to delete a selected object, for instance. Half the time it would get the wrong gesture. Our productivity dropped precipitously, but because the 5.0 release had been rushed, there were bugs that were fixed in 5.1 and we couldn't work with the 5.0. So many customers complained that they quickly came out with 5.2, which was just 5.0 with the known bugs fixed.
So I've learned that the positions of the digits don't necessarily mean anything. Hell, you can't even assume monotonicity all the time!
The problem is a flaw in IE and web sites get the blame? It should be IE that doesnt read malicious content because how hard is it to just set up an evil web site and link to it in an email?
Viola, problem not solved!
HTTP/1.1 400
A: Yahoo almost never answer anything.
B: Yahoo are secretive; Microsoft (Hotmail) are hopeless.
C: Who uses IE anyway? AOLers?
Are you bitter and twisted because you shelled out thousands for MS cert only to discover that it's utterly worthless, or are you B&T because you still haven't caught on to it, and now blame those *nix commies for the fact that you can't get a decent-paying job...?
Just wondering is all.
boky
I will give you only one more chance before denouncing your wrong arithmetic ways.
Terrorist.
IANAL but write like a drunk one.
Since obviosuly you have half a clue about what you are doing.
For the people that have got not a clue, the recommendation of the poster preceding your post is timely and accurate.
IANAL but write like a drunk one.
I signed with Yahoo in 1996, from no spam at all I am now receiving 100+ messages a day.
The irritating thing is that at least 5 or 6 make it to my Inbox that could have been clearly filtered.
Also false positives are common, so I am forced to check the last page of spam for legit messages before removing the full lot.
Very dissapointing, specially since early adopters like me, that got a yahoo.com address have to pay for POP3 access (the people sying you don't have to are clearly uninformed). WIth POP3 I would take care of spam myself.
IANAL but write like a drunk one.
I think you misunderstand how standards work. They provide a framework of things that MUST or SHOULD be implemented. They don't say "...and you MUST NOT implement anything else".
Probably just went into their bulk mail.
>All attempts to contact Yahoo unfortunately
>failed. Mail was sent to security and secure at
>yahoo.com and at yahoo-inc.com, no replies were
>received to date.
This is at the root an IE problem, not a Yahoo or Hotmail problem. The press (news.com reported this yesterday) and this GreyMagic, whoever they are, being too kind to IE and Microsoft.
It is a bug in Mozilla, but it's not a security bug in Mozilla. It may simplify the exploitation of a security bug in a web application through stock Mozilla. It did not, however, create said security bug that web application - the security bug was already there. As you describe: "poorly-code app which fails to test the data input properly".
according to published information, Yahoo is not responding to the report of a flaw in e-mail filtering software for Yahoo Inc. Web-based e-mail services that could result in the theft of login and password information; the disclosure of message contents in the user's mailbox and contact file; and the exploitation of the user's machine by an outside agent.
What is SBC doing to resolve this serious vulnerability that your customers are exposed to as a result of this serious flaw on yahoo's part.
We, your customers, never had the opportunity to choose whether expose ourselves to yahoo, their advertising and this vulnerability.
I would appreciate some assurance that this severe vulnerability is being fixed.
see: E-Week article
and:Source report of vulnerability
--robin
...Boycott Disney
That's still a massive number of users out there who are vulnerable, due to the fact that IE6 still has this problem.
Yahoo might just sit on this until someone uses the flaw to write a virus that exploits it.
Here's the idea:
User views e-mail.
Code executes that sends a copy of the message to everyone in user's inbox and address book that has an @yahoo.com address.
Repeat.
Yahoo grinds to a halt and HAS to start filtering the exploit, or more likely, filter the specific virus thus leaving the hole itself open.
Of course I have neither the skill nor inclination to implement such an idea. I happen to like using Yahoo and would be pissed if some script kiddie brought it to it's knees.
"Live Free or Die." Don't like it? Then keep out of the USA
"We learned of a cross-site scripting issue in Yahoo Mail, and immediately began working towards a resolution which was implemented yesterday," says Mary Osako, senior director of communications at Yahoo
"And The Geek Shall Inherit The Earth" --Jeff Darlington
Also, random mails from my sister's Yahoo account from overseas seem to be getting lost before they get to us (on an ISP mail account). Same thing happened a while back to some mails from my mom's friend's hotmail account. And I've never had any problems with my ISP's mail account.
The flaw relies on a proprietary extension of Internet Explorer.
This extension has nothing to do with HTML specifications as documented by the W3C.
Yahoo! did nothing bad. The Yahoo! filtering system works. Yahoo is not supposed to deal with every browser specific non-standard extension.
If I release a patch for Mozilla that implements a tag that format your hard disk, should we immediately blame every webmail on the planet because there's a vulnerability here?
No. And the fact that IE is widely used shouldn't mean that it should be a special case and that every program out there should care about its silly specific extensions.
{{.sig}}
Original poster said "only works" in IE5. Depending on your perspective, you might prefer to say that you will only experience a [security] failure if you happen to be running IE.
If I'm the hacker, then I would use the word "works." As a user, I experience a "failure."
I remember countless days of using the yahoo/hotmail hack that would send you another hotmail or yahoo users password And that was fixed about 7 times now this running scripts will have to be fixed about 7 times too what else is new?