"Lax" Crossdomain Policy Puts Yahoo Mail At Risk

← Back to Stories (view on slashdot.org)

"Lax" Crossdomain Policy Puts Yahoo Mail At Risk

Posted by samzenpus on Thursday December 11, 2014 @08:03PM from the protect-ya-neck dept.

msm1267 writes A researcher disclosed a problem with a loose cross-domain policy for Flash requests on Yahoo Mail that put email message content, contact information and much more at risk. The researcher said the weakness is relatively simple to exploit and puts users at high risk for data loss, identity theft, and more. Yahoo has patched one issue related to a specific .swf file hosted on Yahoo's content delivery network that contained a vulnerability that could give an attacker complete control over Yahoo Mail accounts cross origin. While the patch fixed this specific issue, the larger overall configuration issue remains, meaning that other vulnerable .swf files hosted outside the Yahoo CDN and on another Yahoo subdomain could be manipulated the same way.

50 comments

Min score:

Reason:

Sort:

Silly me by EzInKy · 2014-12-11 20:17 · Score: 3, Funny

I thought Flash was so nearly dead now that all that was left was pronouncement by two qualified physicians. I seriously find it hard to believe that a modern firm like Yahoo would even support it at this point.

--
Time is what keeps everything from happening all at once.
1. Re:Silly me by Anonymous Coward · 2014-12-11 20:20 · Score: 0
  
  The 2 qualified Physicians are too busy giving Yahoo CPR
2. Re:Silly me by Anonymous Coward · 2014-12-11 20:47 · Score: 0
  
  You're assuming Yahoo=modern and Yahoo=serious. At least one of these is false.
3. Re:Silly me by popo · 2014-12-11 22:29 · Score: 3, Insightful
  
  Nearly dead? You're talking about the most popular multimedia platform in the world. Yes, Flash sucks. I'll be the first to agree. And as much as anyone, I'd like to see HTML5 kick ass. But it's still lacking in several departments which prevent it from being widely adopted by online game developers. (Good clock / framerate control, a stellar IDE and code protection not being the least of them).
  I've used several HTML5 IDE's and they blow. Coding is still fraught with browser issues and quirks. Speed is iffy at best for many important libraries. 3D transforms for example ... Don't get me started.
  Relatively few developers are writing hit games in HTML5 yet. (Please note the term "relatively") Not that writing great HTML5 games can't be done. It absolutely can be done. (Save yourself the effort of cherry-picking the latest demo of what HTML5 can do. I know. I've written a few). But "potential" is not the issue. Kingdom Rush, for example is written in Flash. Not HTML5. The devs at Ironhide aren't clueless. They chose Flash for a reason, Kongregate also has Unity games and HTML5 games -- but what percent are those? Why? Because they're all dumb? No. It's because AS3 is standard across platforms, extensible and blazing fast.
  HTML5 fans are absolutely on the right track (I count myself as an HTML5 fan), but IMHO most are wholly delusional about how close they are to victory, and about just how "dead" Flash really is. Slashdotters and other people "in the know" know that Flash's days are numbered. But out there in Internet-land, *hundreds of millions* of users use Flash every day. That doesn't count as "dead" by any definition. And the Flash development community is still growing,
  
  --
  ------ The best brain training is now totally free : )
4. Re:Silly me by Anonymous Coward · 2014-12-11 22:34 · Score: 0
  
  Most Slashdotters think Flash is dead because Steve Jobs said it was.
  And Steve Jobs said it was, because supporting Flash would have killed his fledgling AppStore.
5. Re:Silly me by Anonymous Coward · 2014-12-11 22:40 · Score: 1
  
  Flash is the A-10 "Warthog" of the Web. Everyone keeps calling it dead. And then it isn't.
6. Re:Silly me by EzInKy · 2014-12-11 22:53 · Score: 1
  
  Dude, Flash is dead! Get over it.
  
  --
  Time is what keeps everything from happening all at once.
7. Re:Silly me by Chris+Mattern · 2014-12-12 00:36 · Score: 3, Funny
  
  Most Slashdotters think Flash is dead because Steve Jobs said it was.
  Ironically, now Flash is still alive while Steve Jobs is dead.
8. Re:Silly me by GTRacer · 2014-12-12 00:43 · Score: 1
  
  And only one of these is a ginger comedian.
  
  --
  Defending IP by destroying access to it? That makes sense, RIAA/MPAA. Go to the corner until you can play nice!
9. Re:Silly me by Anonymous Coward · 2014-12-12 00:56 · Score: 0
  
  Troll parent is trolling.
10. Re:Silly me by gstoddart · 2014-12-12 01:16 · Score: 2
  
  Dude, Flash is dead! Get over it.
  Are we defining "dead" as "widely used despite being a pathetic security hole", or are we sticking with the more traditional "nobody uses it any more".
  Because if we're defining "dead" in the latter sense, as much as I wish you were right, I'd have to say you're probably wrong.
  
  --
  Lost at C:>. Found at C.
11. Re:Silly me by Anonymous Coward · 2014-12-12 01:21 · Score: 0
  
  Blah blah blah. If it's dead, then what replaced it? Please don't say HTML-5. Flash was superior in every single way to HTML-5 ...10 years ago! And it's significantly faster than HTML-5 today.
  Yeah sure HTML-5 can be used to develop games... but it sucks for developing games. I'd rather use Java, and at says how horrible it is to develop for HTML-5. Despite all the HTML-5 hype, there's a reason developers still use a Flash. It's still the best choice for streaming video and for web based game development.
12. Re:Silly me by Anonymous Coward · 2014-12-12 01:45 · Score: 0
  
  You just used "code protection" and "Flash" in the same paragraph. Your argument is invalid.
13. Re:Silly me by Anonymous Coward · 2014-12-12 03:06 · Score: 0
  
  As I read this article using Firefox, I see the warning "Firefox has prevented the outdated plugin 'Adobe Flash' from running on tech.slashdot.org. [Continue Blocking] [Allow]". Hmm... wonder which button I should click...
14. Re:Silly me by PPH · 2014-12-12 03:16 · Score: 2
  
  Flash is dead.
  -- Emperor Ming.
  
  --
  Have gnu, will travel.
15. Re:Silly me by Anonymous Coward · 2014-12-12 05:46 · Score: 0
  
  Because, like the Warthog, it gets down-n-dirty, and the job done:
  http://foxtrotalpha.jalopnik.com/the-usafs-rationale-for-retiring-the-a-10-warthog-is-bu-1562789528
  Unfortunately, I think Flash's survival chances are better than the A-10's.
16. Re: Silly me by Anonymous Coward · 2014-12-12 06:31 · Score: 0
  
  Meh. It is possible to make games if you tip toe around performance very carefully. There are a few wrappers like cocoonjs that help in that regard for mobile, but I won't start another game in HTML 5. It is just not there yet. Desktop you have a little more room to breath, but still...
17. Re:Silly me by LessThanObvious · 2014-12-12 08:38 · Score: 1
  
  Yahoo isn't particularly modern. They are in transition trying to be modern while being shackled to their legacy. They are about to lose me as a customer. The new versions of their mobile apps for Yahoo! Mail and Yahoo! Finance ask for way to many permissions. Next time I have to get a new phone and I can't have the old versions their apps are history and so is my account. Not good for them since I'm one of the hold outs that pays for POP mail access, which I'm glad to have so I can suck down all my mail to reduce it's exposure to Big Data and do it in an encrypted format. I'm sorry for Yahoo that Google fooled us all into thinking they were "less commercial" in their early days due the lack of ads on the search page, what fools we were. Now Google is a monster we all helped create and we killed all their competition.
What did I not say just the other day? by Khyber · 2014-12-11 20:29 · Score: 0

"Yahoo has patched one issue related to a specific .swf file hosted on Yahoo's content delivery network that contained a vulnerability that could give an attacker complete control over Yahoo Mail accounts cross origin."
As I stated here (and subsequently got modded troll for):
"Maybe people will start taking real responsibility for their sites and content. Passing the buck is lazy and irresponsible, especially in the case of advertising CDNs (and the subsequent malware infestations that spread as a result of them.)"
And lookie what gets reported on.
I love how I get proven right in the face of idiots with mod points.

--
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
1. Re:What did I not say just the other day? by Anonymous Coward · 2014-12-11 20:57 · Score: 0, Insightful
  
  Woo, yay, no-one cares.
2. Re:What did I not say just the other day? by Anonymous Coward · 2014-12-11 21:07 · Score: 3, Insightful
  
  I love how I get proven right in the face of idiots with mod points.
  Except...you didn't. Yahoo's email got screwed by *YAHOO'S* CDN, which is run by Yahoo on a yahoo.com domain. Their problem is that they failed to pass the buck to someone who could actually manage their content securely. You claimed that a CDN allows others to infect the shared CDN content which then would infect those people that used them. Here, the problem was that Yahoo Mail decided to trust everything with a yahoo.com domain or sub-domain, and a different part of Yahoo made an SWF file that allowed privilege escalation.
  If Yahoo had used a proper CDN with a different domain like akamai.net, then they wouldn't have had this particular problem. That'll teach them to follow your advice. The worst part is that you read this as you being right when actually reading what happened shows that you had things completely backwards.
3. Re:What did I not say just the other day? by Narcocide · 2014-12-11 21:09 · Score: 1
  
  I care. You wouldn't have posted unless you care too. Fearing enough that he might be taken seriously that you'd field a ham-fisted attempt to discredit him is still a type of caring.
4. Re:What did I not say just the other day? by Anonymous Coward · 2014-12-11 22:04 · Score: 0
  
  If you care so much, and you know so much, I'm sure that Yahoo would be glad to pay you lots of money to fix their problems. From the capitalistic point of view, you're just declaring to the world that you're an idiot throwing away economic opportunity.
5. Re:What did I not say just the other day? by Khyber · 2014-12-12 04:56 · Score: 1
  
  "Except...you didn't."
  You didn't bother reading the rest of the article, did you? It goes right on to cover how this affects OUTSIDE sites using Yahoo's Advertising CDN.
  Which STILL PROVES MY POINT.
  
  --
  Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
6. Re:What did I not say just the other day? by Narcocide · 2014-12-12 09:35 · Score: 1
  
  Its an obvious and simple problem that has plagued their services for a very long time, in one or another similar incarnation at least. I'm quite sure in fact that they are actively avoiding hiring anyone who looks like they are experienced enough to notice and seem willing to speak up about it.
Lax by Rei · 2014-12-11 22:14 · Score: 2

Well, you need a lax SWF policy to allow the SWFs to swim upstream and spawn.

--
"We consider that six courts and an asylum claim are a rather odd way of returning to Sweden within a month."
easy solution by Anonymous Coward · 2014-12-11 22:14 · Score: 0

get rid of the flash-based ads and tracking "super cookies"
problem solved.
crap coding by sociocapitalist · 2014-12-11 22:48 · Score: 1

Of all the email front ends that I have ever used, I have nothing but slowness and crashes from Yahoo no matter what platform I'm on.
Anyone else having this experience?

--
blindly antisocialist = antisocial
1. Re:crap coding by mcgrew · 2014-12-12 02:30 · Score: 2
  
  Yes, which is why I installed Thunderbird. I now still have my old 10+ year old email address and a stable email client. My phone's email client works well with the yahoo email as well.
  Just install a real email client and your problems vanish.
  
  --
  Free Martian Whores!
Est.1998 by cloud.pt · 2014-12-11 23:09 · Score: 1

This is why my Yahoo account is my "disposable account" creation SH*TBOX . Way back since 1998
You are ignorant. by Anonymous Coward · 2014-12-12 00:27 · Score: 0

Your position lacks evidence. Flash is without even having a close competitor, the premier multimedia platform on the web.
It still powers YouTube, Vimeo and every major video site. It powers the video feeds of most major, non-mobile news portals. It is pre-installed in Google Chrome. Flash content is being actively created in greater quantities today than 5 years ago. It is viewed by hundreds of millions of people per month. It is the web-based game development platform of choice for a vast majority of game developers, where HTML5 holds a very tiny minority. Every major gaming site relies principally on Flash. The vast majority of sites supporting video games, major Hollywood releases and television shows uses Flash. Every major consulting company, media company, training and distance learning company, university and entertainment company uses Flash.
Keep shrieking "Flash is dead, dude". But your position is frankly ignorant. HTML5 is cool. Very, very cool. But you're like a mosquito biting an elephant and claiming victory.
I live in a world of statistics and facts. You, like a child, live in a world where you believe the things you want to be true.
1. Re:You are ignorant. by plover · 2014-12-12 01:55 · Score: 1
  
  That's funny, because YouTube happily rolls over to HTML5 when you don't have Flash installed, and it works just fine.
  As much as it pissed me off when Jobs said 'no Flash on the iPhone', it was a brilliant move at weaning the world from one of the least secure software packages in history. It's impossible to change the whole world at once, especially when Adobe is trying so desperately to cling to this albatross, but Adobe has never taken the responsibility for building a new, secure engine and eliminating the backward compatibility holes. They just keep enabling vulnerability after vulnerability.
  Flash may not be dead, but it's long past its time to live.
  
  --
  John
2. Re:You are ignorant. by Anonymous Coward · 2014-12-14 06:47 · Score: 0
  
  So answer this one question:
  Why doesn't YouTube stop serving Flash videos entirely? Why have two video formats? And why is Flash format on desktops not the default -- even in modern browsers?
  Answer that. (I honestly bet you can't.)
3. Re:You are ignorant. by plover · 2014-12-14 17:44 · Score: 1
  
  Because Flash still works on many old browsers. YouTube wants to serve as many people as they can, and want to avoid as many technical issues as they can. They know there are many people who got something working five or more years ago that haven't upgraded their browsers to anything that can display HTML5.
  
  --
  John
4. Re:You are ignorant. by Anonymous Coward · 2014-12-24 23:40 · Score: 0
  
  Partially correct. The larger issue is advertising, which can be very easily disabled from the DOM in HTML5 video.
A flash vulnerability? by gstoddart · 2014-12-12 01:04 · Score: 2

I'm completely shocked to hear this.
No, wait, I'm not surprised at all. Flash has been a security hole for as long as it has existed.
I don't understand why people let web sites run arbitrary code. Adobe made a horrible platform from a security perspective, and it's been pretty much constantly in the headlines since.
I honestly don't know why people continue to trust the damned thing, and can't believe the sheer number of times I've heard it's been a vector for security holes. Donzens? Hundreds?
Seriously, just stop running the damned thing.

--
Lost at C:>. Found at C.
1. Re:A flash vulnerability? by Anonymous Coward · 2014-12-12 23:58 · Score: 0
  
  Use a separate browser for Flash-only purposes. Don't install it in one's primary browser. Problem solved?
Again I ask... by koan · 2014-12-12 01:42 · Score: 1

Why does Yahoo still exist?

--
"If any question why we died, Tell them because our fathers lied."
1. Re:Again I ask... by CBravo · 2014-12-12 07:53 · Score: 1
  
  Because larger amounts of people are slow to migrate.
  
  --
  nosig today
2. Re:Again I ask... by koan · 2014-12-12 08:49 · Score: 1
  
  So their business model is people that don't adapt well to new tech, sounds shaky.
  Additionally, Yahoo Answers is one of the worst places to get information IME.
  
  --
  "If any question why we died, Tell them because our fathers lied."
3. Re:Again I ask... by ShaunC · 2014-12-12 09:44 · Score: 1
  
  It isn't just slow migration. Yahoo has been contracted to manage email for a lot of older ISPs, they host mail for a whole lot more than just @yahoo.com users. There are millions of people who use the Yahoo Mail interface because that's what their ISP switched to.
  For example, 20 years ago I had a dialup internet account through my telco at the time, BellSouth. My email address from that service, which I still have, is @bellsouth.net. BellSouth no longer exists, it was swallowed back into ATT when the government decided that monopolies were a great idea again. For a year or two, the BellSouth webmail interface continued to exist, then it was shuffled over to the att.net domain, and several years ago ATT decided to move all of their users over to Yahoo. If I want to check my @bellsouth.net email through the web, I'm taken to Yahoo Mail. (Yes I'm aware of options like mail2web.)
  As far as I know, the same is true for customers from all of the Baby Bells that were re-absorbed back into ATT, and there are plenty of smaller ISPs who gave up on hosting their own mail in favor of paying Yahoo to do it for them. There are many, many people interacting with Yahoo Mail every day who have never had an @yahoo.com email account and probably don't use Yahoo for anything else.
  
  --
  Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
4. Re:Again I ask... by CBravo · 2014-12-12 19:41 · Score: 1
  
  Well new tech is also lagging. Do you have your own server with email, all services (like monitoring, backup, security, ...) and pretty good spam filtering? For not-so-much money?
  
  --
  nosig today
5. Re:Again I ask... by koan · 2014-12-12 20:25 · Score: 1
  
  By definition "new tech" can not be lagging, and no I just use gmail's "Inbox" although I own a domain name and could easily set up my own server why bother?
  I guess a simpler way to say it is "What does Yahoo offer anyone they can't get somewhere else", and better at that.
  
  --
  "If any question why we died, Tell them because our fathers lied."
insert security issue here by NetNed · 2014-12-12 02:01 · Score: 1

When has yahoo mail ever really been secure? Every couple of years it "Yahoo mail has a security hole because of (insert issue here)".
We thought Carol Bartz was bad... by Anonymous Coward · 2014-12-12 03:36 · Score: 0

Marissa Mayer has utterly ruined Yahoo Mail ever since she took charge.
Yahoo Japan Mail was also (eventually) infected by the changes introduced by her.
She's turning Yahoo Mail into a crappier version of Gmail. Mails aren't mails anymore, they're 'conversations'.
Marissa you insufferable wench.
When slashdot was useful... by patniemeyer · 2014-12-12 05:26 · Score: 1

I remember the days when the highest rated comment on Slashdot would be a nice summary of the salient point of the article with some insightful agreement or disagreement.
1. Re:When slashdot was useful... by Anonymous Coward · 2014-12-12 07:32 · Score: 0
  
  I remember the days when the highest rated comment on Slashdot would be a nice summary of the salient point of the article with some insightful agreement or disagreement.
  The subject has been done to death, the salient point should be "Flash is dead (to me)."
We thought Carol Bartz was bad... by Anonymous Coward · 2014-12-12 05:41 · Score: 0

Came here to say just that. They're too busy redesigning the exteriors and completely fucking it up to notice how crumby and crumbly it really is.