"Lax" Crossdomain Policy Puts Yahoo Mail At Risk

← Back to Stories (view on slashdot.org)

"Lax" Crossdomain Policy Puts Yahoo Mail At Risk

Posted by samzenpus on Thursday December 11, 2014 @08:03PM from the protect-ya-neck dept.

msm1267 writes A researcher disclosed a problem with a loose cross-domain policy for Flash requests on Yahoo Mail that put email message content, contact information and much more at risk. The researcher said the weakness is relatively simple to exploit and puts users at high risk for data loss, identity theft, and more. Yahoo has patched one issue related to a specific .swf file hosted on Yahoo's content delivery network that contained a vulnerability that could give an attacker complete control over Yahoo Mail accounts cross origin. While the patch fixed this specific issue, the larger overall configuration issue remains, meaning that other vulnerable .swf files hosted outside the Yahoo CDN and on another Yahoo subdomain could be manipulated the same way.

28 of 50 comments (clear)

Min score:

Reason:

Sort:

Silly me by EzInKy · 2014-12-11 20:17 · Score: 3, Funny

I thought Flash was so nearly dead now that all that was left was pronouncement by two qualified physicians. I seriously find it hard to believe that a modern firm like Yahoo would even support it at this point.

--
Time is what keeps everything from happening all at once.
1. Re:Silly me by popo · 2014-12-11 22:29 · Score: 3, Insightful
  
  Nearly dead? You're talking about the most popular multimedia platform in the world. Yes, Flash sucks. I'll be the first to agree. And as much as anyone, I'd like to see HTML5 kick ass. But it's still lacking in several departments which prevent it from being widely adopted by online game developers. (Good clock / framerate control, a stellar IDE and code protection not being the least of them).
  I've used several HTML5 IDE's and they blow. Coding is still fraught with browser issues and quirks. Speed is iffy at best for many important libraries. 3D transforms for example ... Don't get me started.
  Relatively few developers are writing hit games in HTML5 yet. (Please note the term "relatively") Not that writing great HTML5 games can't be done. It absolutely can be done. (Save yourself the effort of cherry-picking the latest demo of what HTML5 can do. I know. I've written a few). But "potential" is not the issue. Kingdom Rush, for example is written in Flash. Not HTML5. The devs at Ironhide aren't clueless. They chose Flash for a reason, Kongregate also has Unity games and HTML5 games -- but what percent are those? Why? Because they're all dumb? No. It's because AS3 is standard across platforms, extensible and blazing fast.
  HTML5 fans are absolutely on the right track (I count myself as an HTML5 fan), but IMHO most are wholly delusional about how close they are to victory, and about just how "dead" Flash really is. Slashdotters and other people "in the know" know that Flash's days are numbered. But out there in Internet-land, *hundreds of millions* of users use Flash every day. That doesn't count as "dead" by any definition. And the Flash development community is still growing,
  
  --
  ------ The best brain training is now totally free : )
2. Re:Silly me by Anonymous Coward · 2014-12-11 22:40 · Score: 1
  
  Flash is the A-10 "Warthog" of the Web. Everyone keeps calling it dead. And then it isn't.
3. Re:Silly me by EzInKy · 2014-12-11 22:53 · Score: 1
  
  Dude, Flash is dead! Get over it.
  
  --
  Time is what keeps everything from happening all at once.
4. Re:Silly me by Chris+Mattern · 2014-12-12 00:36 · Score: 3, Funny
  
  Most Slashdotters think Flash is dead because Steve Jobs said it was.
  Ironically, now Flash is still alive while Steve Jobs is dead.
5. Re:Silly me by GTRacer · 2014-12-12 00:43 · Score: 1
  
  And only one of these is a ginger comedian.
  
  --
  Defending IP by destroying access to it? That makes sense, RIAA/MPAA. Go to the corner until you can play nice!
6. Re:Silly me by gstoddart · 2014-12-12 01:16 · Score: 2
  
  Dude, Flash is dead! Get over it.
  Are we defining "dead" as "widely used despite being a pathetic security hole", or are we sticking with the more traditional "nobody uses it any more".
  Because if we're defining "dead" in the latter sense, as much as I wish you were right, I'd have to say you're probably wrong.
  
  --
  Lost at C:>. Found at C.
7. Re:Silly me by PPH · 2014-12-12 03:16 · Score: 2
  
  Flash is dead.
  -- Emperor Ming.
  
  --
  Have gnu, will travel.
8. Re:Silly me by LessThanObvious · 2014-12-12 08:38 · Score: 1
  
  Yahoo isn't particularly modern. They are in transition trying to be modern while being shackled to their legacy. They are about to lose me as a customer. The new versions of their mobile apps for Yahoo! Mail and Yahoo! Finance ask for way to many permissions. Next time I have to get a new phone and I can't have the old versions their apps are history and so is my account. Not good for them since I'm one of the hold outs that pays for POP mail access, which I'm glad to have so I can suck down all my mail to reduce it's exposure to Big Data and do it in an encrypted format. I'm sorry for Yahoo that Google fooled us all into thinking they were "less commercial" in their early days due the lack of ads on the search page, what fools we were. Now Google is a monster we all helped create and we killed all their competition.
Re:What did I not say just the other day? by Anonymous Coward · 2014-12-11 21:07 · Score: 3, Insightful

I love how I get proven right in the face of idiots with mod points.
Except...you didn't. Yahoo's email got screwed by *YAHOO'S* CDN, which is run by Yahoo on a yahoo.com domain. Their problem is that they failed to pass the buck to someone who could actually manage their content securely. You claimed that a CDN allows others to infect the shared CDN content which then would infect those people that used them. Here, the problem was that Yahoo Mail decided to trust everything with a yahoo.com domain or sub-domain, and a different part of Yahoo made an SWF file that allowed privilege escalation.
If Yahoo had used a proper CDN with a different domain like akamai.net, then they wouldn't have had this particular problem. That'll teach them to follow your advice. The worst part is that you read this as you being right when actually reading what happened shows that you had things completely backwards.
Re:What did I not say just the other day? by Narcocide · 2014-12-11 21:09 · Score: 1

I care. You wouldn't have posted unless you care too. Fearing enough that he might be taken seriously that you'd field a ham-fisted attempt to discredit him is still a type of caring.
Lax by Rei · 2014-12-11 22:14 · Score: 2

Well, you need a lax SWF policy to allow the SWFs to swim upstream and spawn.

--
"We consider that six courts and an asylum claim are a rather odd way of returning to Sweden within a month."
crap coding by sociocapitalist · 2014-12-11 22:48 · Score: 1

Of all the email front ends that I have ever used, I have nothing but slowness and crashes from Yahoo no matter what platform I'm on.
Anyone else having this experience?

--
blindly antisocialist = antisocial
1. Re:crap coding by mcgrew · 2014-12-12 02:30 · Score: 2
  
  Yes, which is why I installed Thunderbird. I now still have my old 10+ year old email address and a stable email client. My phone's email client works well with the yahoo email as well.
  Just install a real email client and your problems vanish.
  
  --
  Free Martian Whores!
Est.1998 by cloud.pt · 2014-12-11 23:09 · Score: 1

This is why my Yahoo account is my "disposable account" creation SH*TBOX . Way back since 1998
A flash vulnerability? by gstoddart · 2014-12-12 01:04 · Score: 2

I'm completely shocked to hear this.
No, wait, I'm not surprised at all. Flash has been a security hole for as long as it has existed.
I don't understand why people let web sites run arbitrary code. Adobe made a horrible platform from a security perspective, and it's been pretty much constantly in the headlines since.
I honestly don't know why people continue to trust the damned thing, and can't believe the sheer number of times I've heard it's been a vector for security holes. Donzens? Hundreds?
Seriously, just stop running the damned thing.

--
Lost at C:>. Found at C.
Again I ask... by koan · 2014-12-12 01:42 · Score: 1

Why does Yahoo still exist?

--
"If any question why we died, Tell them because our fathers lied."
1. Re:Again I ask... by CBravo · 2014-12-12 07:53 · Score: 1
  
  Because larger amounts of people are slow to migrate.
  
  --
  nosig today
2. Re:Again I ask... by koan · 2014-12-12 08:49 · Score: 1
  
  So their business model is people that don't adapt well to new tech, sounds shaky.
  Additionally, Yahoo Answers is one of the worst places to get information IME.
  
  --
  "If any question why we died, Tell them because our fathers lied."
3. Re:Again I ask... by ShaunC · 2014-12-12 09:44 · Score: 1
  
  It isn't just slow migration. Yahoo has been contracted to manage email for a lot of older ISPs, they host mail for a whole lot more than just @yahoo.com users. There are millions of people who use the Yahoo Mail interface because that's what their ISP switched to.
  For example, 20 years ago I had a dialup internet account through my telco at the time, BellSouth. My email address from that service, which I still have, is @bellsouth.net. BellSouth no longer exists, it was swallowed back into ATT when the government decided that monopolies were a great idea again. For a year or two, the BellSouth webmail interface continued to exist, then it was shuffled over to the att.net domain, and several years ago ATT decided to move all of their users over to Yahoo. If I want to check my @bellsouth.net email through the web, I'm taken to Yahoo Mail. (Yes I'm aware of options like mail2web.)
  As far as I know, the same is true for customers from all of the Baby Bells that were re-absorbed back into ATT, and there are plenty of smaller ISPs who gave up on hosting their own mail in favor of paying Yahoo to do it for them. There are many, many people interacting with Yahoo Mail every day who have never had an @yahoo.com email account and probably don't use Yahoo for anything else.
  
  --
  Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
4. Re:Again I ask... by CBravo · 2014-12-12 19:41 · Score: 1
  
  Well new tech is also lagging. Do you have your own server with email, all services (like monitoring, backup, security, ...) and pretty good spam filtering? For not-so-much money?
  
  --
  nosig today
5. Re:Again I ask... by koan · 2014-12-12 20:25 · Score: 1
  
  By definition "new tech" can not be lagging, and no I just use gmail's "Inbox" although I own a domain name and could easily set up my own server why bother?
  I guess a simpler way to say it is "What does Yahoo offer anyone they can't get somewhere else", and better at that.
  
  --
  "If any question why we died, Tell them because our fathers lied."
Re:You are ignorant. by plover · 2014-12-12 01:55 · Score: 1

That's funny, because YouTube happily rolls over to HTML5 when you don't have Flash installed, and it works just fine.
As much as it pissed me off when Jobs said 'no Flash on the iPhone', it was a brilliant move at weaning the world from one of the least secure software packages in history. It's impossible to change the whole world at once, especially when Adobe is trying so desperately to cling to this albatross, but Adobe has never taken the responsibility for building a new, secure engine and eliminating the backward compatibility holes. They just keep enabling vulnerability after vulnerability.
Flash may not be dead, but it's long past its time to live.

--
John
insert security issue here by NetNed · 2014-12-12 02:01 · Score: 1

When has yahoo mail ever really been secure? Every couple of years it "Yahoo mail has a security hole because of (insert issue here)".
Re:What did I not say just the other day? by Khyber · 2014-12-12 04:56 · Score: 1

"Except...you didn't."
You didn't bother reading the rest of the article, did you? It goes right on to cover how this affects OUTSIDE sites using Yahoo's Advertising CDN.
Which STILL PROVES MY POINT.

--
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
When slashdot was useful... by patniemeyer · 2014-12-12 05:26 · Score: 1

I remember the days when the highest rated comment on Slashdot would be a nice summary of the salient point of the article with some insightful agreement or disagreement.
Re:What did I not say just the other day? by Narcocide · 2014-12-12 09:35 · Score: 1

Its an obvious and simple problem that has plagued their services for a very long time, in one or another similar incarnation at least. I'm quite sure in fact that they are actively avoiding hiring anyone who looks like they are experienced enough to notice and seem willing to speak up about it.
Re:You are ignorant. by plover · 2014-12-14 17:44 · Score: 1

Because Flash still works on many old browsers. YouTube wants to serve as many people as they can, and want to avoid as many technical issues as they can. They know there are many people who got something working five or more years ago that haven't upgraded their browsers to anything that can display HTML5.

--
John