Slashdot Mirror
Yahoo and Hotmail Filter Flaw
gandam writes "Israeli computer security firm GreyMagic Software has detected a serious security flaw in Yahoo's Web e-mail service and Microsoft Corp.'s Hotmail service, which could allow hackers to run malicious scripts on users' computers. I tried sending a mail to my yahoo account and it never reached my mailbox. According to the website, all attempts to contact Yahoo unfortunately failed. Mail was sent to security and secure at yahoo.com and at yahoo-inc.com. No replies were received to date. Works only in IE5, though."
Surely that's gotta be wrong! A security hole in IE???
No freakin' WAY!?
Don't park drunk, accidents cause people.
Myway is also great as a portal or homepage, it's much more customizeable than any other site I've seen, and again, no banners or popups.
You can also read all AP and Reuters stories with no registration, and there's partner links to NY Times and other reg-req'd sites (great for submitting articles to Slashdot).
...almost paniced, then I noticed:
;
only works in IE5 though...
hmm... <mouseGesture>down-right</mouseGesture>
- It is simple to make something complex, and complex to make it simple
Had me worried there for a second.
Still, I've got friends who run IE, and now they'll have incentive to learn the true joys of Mozilla FireFox.
Thanks for the heads-up.
hanzie
********* sig: If you don't like the law, get filthy stinking rich, and buy a better one.
Just have the malicious code make the browser go to my viagra site and force the user to buy 10 cases. That would make me an ULTRA spammer.
Once I do this, I will be able to afford that sould I've been eying on eBay all week.
to use Mozilla, Konqueror, Opera, et al instead of IE.
"Solution: GreyMagic started work on this issue with Microsoft on 11-Mar-2004. They have quickly confirmed our findings and were able to produce a fix less than two days later. As a result, Hotmail is no longer vulnerable to this method of exploitation. All attempts to contact Yahoo unfortunately failed. Mail was sent to security and secure at yahoo.com and at yahoo-inc.com, no replies were received to date. "
Imagine how much harder physics would be if electrons had feelings! -Feynman, maybe
Yep. Thank Mozilla for Firefox.
Seriously, folks -- I have said it before and I'll said it again -- do not use Microsoft products when it comes to the Internet.
If you care, even minimally, about security, then Firefox and Thunderbird should be installed by default on your Windows machine instead of Internet Explorer and Outlook.
This was the case in one of the companies I worked for, and they had almost zero virus problems in two years.
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
If they are going to attack my Hotmail Account they are up for a fight! Pr0n and Viagra have a firm hold, and it is going to take a lot to beat them to my Inbox.
- Your stupidity got you into this mess, why can't it get you out? -Will Rogers
hmm... should this have been 'news'? most people (well, at least on here) know of sites like Hushmail which offer much better (and still free) security for web-based email. Hotmail and Yahoo are... well, about as secure as windows :)
I love being able to use yahoo with pop3, I like it a lot better than my ISP email.
Also you know what's funny? myway.com is in my hosts file routed to 0.0.0.0. It's blocked from my computer, as a ad/spam domain. I unblocked it, and I can't see any features of myway on their site. It looks like an almost identical clone to yahoo. It goes back in the hosts file.
I think I'll stick with good ol' reliable yahoo. It's only been down once in the past two years.
BTW, I use linux, so I don't need to worry about this silly IE vulnerability. (I don't even use the webclient anyway).
They are obviously diligently searching for the clowns who keep sending me requests from "Yahoo" and "Citibank" to put in my account information, on websites hosted in Russia and Korea.
Tried submitting this a couple of times since yesterday but the submission system seems to have picked up a few bugs of its own where it says "Thanks for the submission" but nothing shows up in the queue. Here are the details...
Yahoo, Hotmail Users Vulnerable to XSS PC Attack
Both Yahoo Web e-mail and Microsoft Hotmail are vulnerable to an Internet Explorer cross-site scripting (XSS) attack that lets malicious users run local code, according to Israel's GreyMagic security consultants (proof of concept). Possible consequences range from theft of login and password to a remote takeover of the compromised machine. Reports indicate that Microsoft has patched the hole but Yahoo has yet to solve the problem. The vulnerability presumably affects Windows PC-based versions of Internet Explorer only. Some people might want to read this developerWorks article on how to prevent cross-site scripting and protect oneself, mentioned last month on Slashdot. More coverage at InternetNews and The Register.
Respect to MS for fixing the problem only 2 days later.
It's not the first and won't be the last IE exploit! Be prepared! Don't buy into the monoculture - use "second tier" software whenever possible. Mozilla Firefox is a fantastic free web browser with many security features and simple toggles. Eprompter is an excellent, simple, and free POP3\Hotmail\webmail client that lets you delete messages server-side before you open\view them.
Most important of all, keep up-to-date with Slashdot and other news services to stay aware of new vulnerabilities!
The reporter has it wrong.
ALL versions of IE *since* 5 contain this feature, which means that if there's a flaw in the filtering mechanism of the web-based email provider, script will run.
Yep, IE5, IE5.5 and IE6.
Sorry, but I'm not willing to get email with a service that supports the use of adware/scumware.
GreyMagic started work on this issue with Microsoft on 11-Mar-2004. They have quickly confirmed our findings and were able to produce a fix less than two days later. As a result, Hotmail is no longer vulnerable to this method of exploitation.
Wow...I'm actually sort of impressed that Microsoft fixed a vulnerabillity in their product that was pointed out to them in email, rather than ignoring it until it blew up in their face. . .
According to the details I've seen on the exploit, it's not just Hotmail and Yahoo that are vulnerable but most webmail interfaces. Has anyone tested this against Horde and SquirrelMail?
A lot of people are saying "big deal, I don't use IE." Neither do I, nor do I use yahoo or hotmail for anything personal. But some of my friends only have a hotmail/yahoo account and use IE either because it's their only choice (at work), or they're too lazy to install, configure and learn to use a new browser.
Now the article says this security flaw allows "Content disclosure of any email in the mailbox." This means that if you have sent anything personal to any mailbox on yahoo or hotmail, this info might be vulnerable, even if you personally don't use IE. The recipient might use IE and get their inbox read by others.
If it lets scripts run on a client, why is this considered a flaw in hotmail/yahoo rather than a flaw in IE? I tried reading the article, but I am not that familiar with HTML and scripting.
If this flaw works only in IE5, then it is not a flaw in yahoo/hotmail, but just another IE exploit.
Well, like most /. folk, I'm using Firefox on BSD on an SPARC.
If you lets your friends and relatives use Windows and IE, then you are only harming them (and the rest of us who get slammed by their viruses trying to break mutt on my machine).
Take the needle out. Put down the crack pipe.
Really, the web took off because it was platform independent and full of juicy goodness.
"Must us IE" or "best used with IE" means that they should STOP using http to transfer their garbage and only serve on MSN.
Really. The web sucked the business out of Compuserve for a good reason. Open Platforms and Open Standards were the big attraction. Remember?
---
During the myDoom.* fest, I asked our SVP about looking at deploying Linux on the desktop for users who don't truly actually REQUIRE MS and MS tools.
He asked if I "thought Linux was ready for the desktop here."
"Hmmm," said I, "I'm not 100%. But do you think Windows is?"
Slashdot is a news service?
I had but a simple dream, to destroy all humans.
That Yahoo and Hotmail are pretty much the most used/spammed services out there, and therefore will have their security holes pinponted sooner than lesser-known services. Doesn't mean that the lesser knowns are more secure, just blissfully ignorant. Something to ponder...
------- "A true friend stabs you in the front." -Eliot
You say this company is clearly focused on security; well, it should be, after all the trouble Microsoft has been through recently (all those exploits for windows that were, needless to say, pretty major).
Whatever people may say, Microsoft has got a lot of money. Money usually means that you can pay for important things. It is good to see that Microsoft isn't totally slacking and letting things go to rot.
I would expect the same of IBM and Sun.
This isn't a security flaw of any meaning. This is a way to slip past the content filter on Yahoo! and Hotmail. Big fricking deal. Any script you manage to slip by the filters using this script could be found on any web page. There is no system vulnerability involved here. All "injected" scripts are subject to the same sandboxes and vulnerabilities that code you put up on your web page is. Nothing more, nothing less. Yahoo! doesn't need to jump on this because the damn thing is just an inconvenience, not a security threat.
Do they also need fixes?
The real "Libtards" are the Libertarians!
Why is it so hard to understand that when script can run in a web-based email it can do whatever the USER can do and more?
That means your entire mailbox can be read and sent to a remote server.
That means emails can be sent from the mailbox.
That means your address book can be accessed.
Running script in general might be an inconvenience, but in this context, it's a big-ass security vulnerability.
If you know of any other such filtering flaws that aren't patched, feel free to point them out. But I assure you that everything you'll find by Googling had already been patched.
Well, number 224853 shouldn't scare you. It is entirely about Mozilla politics, and doesn't involve software at all.
Number 204506 says, "Actual Results: I can enter maxlength + 1 characters into a input field." That doesn't sound very scary. There is no mention of running code in the extra byte.
Bug 182176 says, "This is not much of a security hole since chrome can read any file anyways and non-trusted content can't use chrome URLs. It's worth fixing in case some future exploit allows untrusted content to use chrome urls, but I'm removing the security flag because there's no exploit here.
Bug 129996 is about an annoyance, at most.
Good old Mozilla. Yes, the parent post is a troll. No security problems are shown in the link.
Don't ask that question: I was modded down, "Offtopic", for asking the exact same question!
The real "Libtards" are the Libertarians!
This is a bug in Hotmail and Yahoo's filtering of HTML and scripting code. Normally these sites strip any script code, but this is a new way of injecting arbitary script code into the HTML page Hotmail or Yahoo gives you showing the email you wanted to view.
An attacker could craft an HTML email that, when viewed in your inbox on Yahoo or Hotmail will execute some JavaScript or other script code from within the context of the Hotmail.com or Yahoo.com window. So it could do nasty things like deleting your messages automatically, forwaring your emails to another address, etc.
It does NOT allow your computer to execute native code unless the attack exploits some other browser-specific vulnerability.
Webmail will always be succeptible to these kinds of attacks if it does not carefully filter out HTML using any number of obscure features to insert malicious script in the Hotmail.com output.
When I worked for a VLSI team in Boston in the late eighties, our CAD vendor had a support contract which promised one major release a year. But it was almost a year since version 4.0, and their new release wasn't ready. So they just patched their latest release (4.2) with some bug fixes and a few minor features, and shipped it as 5.0. Everyone could see it was basically the same as 4.0 + patches.
When version 5.1 came out a few months later, that was a huge change over 5.0! They replaced their standard menu-for-newbies + hotkeys-for-experts interface with the most hideous UI I've ever had the misfortune of using. It was based on "mouse gestures." You were supposed to "draw" a D with your mouse to delete a selected object, for instance. Half the time it would get the wrong gesture. Our productivity dropped precipitously, but because the 5.0 release had been rushed, there were bugs that were fixed in 5.1 and we couldn't work with the 5.0. So many customers complained that they quickly came out with 5.2, which was just 5.0 with the known bugs fixed.
So I've learned that the positions of the digits don't necessarily mean anything. Hell, you can't even assume monotonicity all the time!
Since obviosuly you have half a clue about what you are doing.
For the people that have got not a clue, the recommendation of the poster preceding your post is timely and accurate.
IANAL but write like a drunk one.
The flaw relies on a proprietary extension of Internet Explorer.
This extension has nothing to do with HTML specifications as documented by the W3C.
Yahoo! did nothing bad. The Yahoo! filtering system works. Yahoo is not supposed to deal with every browser specific non-standard extension.
If I release a patch for Mozilla that implements a tag that format your hard disk, should we immediately blame every webmail on the planet because there's a vulnerability here?
No. And the fact that IE is widely used shouldn't mean that it should be a special case and that every program out there should care about its silly specific extensions.
{{.sig}}