Slashdot Mirror

← Back to Stories (view on slashdot.org)

"Lax" Crossdomain Policy Puts Yahoo Mail At Risk

Posted by samzenpus on from the protect-ya-neck dept.

msm1267 writes A researcher disclosed a problem with a loose cross-domain policy for Flash requests on Yahoo Mail that put email message content, contact information and much more at risk. The researcher said the weakness is relatively simple to exploit and puts users at high risk for data loss, identity theft, and more. Yahoo has patched one issue related to a specific .swf file hosted on Yahoo's content delivery network that contained a vulnerability that could give an attacker complete control over Yahoo Mail accounts cross origin. While the patch fixed this specific issue, the larger overall configuration issue remains, meaning that other vulnerable .swf files hosted outside the Yahoo CDN and on another Yahoo subdomain could be manipulated the same way.

9 of 50 comments (clear)

  1. Silly me by EzInKy · · Score: 3, Funny

    I thought Flash was so nearly dead now that all that was left was pronouncement by two qualified physicians. I seriously find it hard to believe that a modern firm like Yahoo would even support it at this point.

    --
    Time is what keeps everything from happening all at once.
    1. Re:Silly me by popo · · Score: 3, Insightful

      Nearly dead? You're talking about the most popular multimedia platform in the world. Yes, Flash sucks. I'll be the first to agree. And as much as anyone, I'd like to see HTML5 kick ass. But it's still lacking in several departments which prevent it from being widely adopted by online game developers. (Good clock / framerate control, a stellar IDE and code protection not being the least of them).

      I've used several HTML5 IDE's and they blow. Coding is still fraught with browser issues and quirks. Speed is iffy at best for many important libraries. 3D transforms for example ... Don't get me started.

      Relatively few developers are writing hit games in HTML5 yet. (Please note the term "relatively") Not that writing great HTML5 games can't be done. It absolutely can be done. (Save yourself the effort of cherry-picking the latest demo of what HTML5 can do. I know. I've written a few). But "potential" is not the issue. Kingdom Rush, for example is written in Flash. Not HTML5. The devs at Ironhide aren't clueless. They chose Flash for a reason, Kongregate also has Unity games and HTML5 games -- but what percent are those? Why? Because they're all dumb? No. It's because AS3 is standard across platforms, extensible and blazing fast.

      HTML5 fans are absolutely on the right track (I count myself as an HTML5 fan), but IMHO most are wholly delusional about how close they are to victory, and about just how "dead" Flash really is. Slashdotters and other people "in the know" know that Flash's days are numbered. But out there in Internet-land, *hundreds of millions* of users use Flash every day. That doesn't count as "dead" by any definition. And the Flash development community is still growing,

      --
      ------ The best brain training is now totally free : )
    2. Re:Silly me by Chris+Mattern · · Score: 3, Funny

      Most Slashdotters think Flash is dead because Steve Jobs said it was.

      Ironically, now Flash is still alive while Steve Jobs is dead.

    3. Re:Silly me by gstoddart · · Score: 2

      Dude, Flash is dead! Get over it.

      Are we defining "dead" as "widely used despite being a pathetic security hole", or are we sticking with the more traditional "nobody uses it any more".

      Because if we're defining "dead" in the latter sense, as much as I wish you were right, I'd have to say you're probably wrong.

      --
      Lost at C:>. Found at C.
    4. Re:Silly me by PPH · · Score: 2

      Flash is dead.

      -- Emperor Ming.

      --
      Have gnu, will travel.
  2. Re:What did I not say just the other day? by Anonymous Coward · · Score: 3, Insightful

    I love how I get proven right in the face of idiots with mod points.

    Except...you didn't. Yahoo's email got screwed by *YAHOO'S* CDN, which is run by Yahoo on a yahoo.com domain. Their problem is that they failed to pass the buck to someone who could actually manage their content securely. You claimed that a CDN allows others to infect the shared CDN content which then would infect those people that used them. Here, the problem was that Yahoo Mail decided to trust everything with a yahoo.com domain or sub-domain, and a different part of Yahoo made an SWF file that allowed privilege escalation.

    If Yahoo had used a proper CDN with a different domain like akamai.net, then they wouldn't have had this particular problem. That'll teach them to follow your advice. The worst part is that you read this as you being right when actually reading what happened shows that you had things completely backwards.

  3. Lax by Rei · · Score: 2

    Well, you need a lax SWF policy to allow the SWFs to swim upstream and spawn.

    --
    "We consider that six courts and an asylum claim are a rather odd way of returning to Sweden within a month."
  4. A flash vulnerability? by gstoddart · · Score: 2

    I'm completely shocked to hear this.

    No, wait, I'm not surprised at all. Flash has been a security hole for as long as it has existed.

    I don't understand why people let web sites run arbitrary code. Adobe made a horrible platform from a security perspective, and it's been pretty much constantly in the headlines since.

    I honestly don't know why people continue to trust the damned thing, and can't believe the sheer number of times I've heard it's been a vector for security holes. Donzens? Hundreds?

    Seriously, just stop running the damned thing.

    --
    Lost at C:>. Found at C.
  5. Re:crap coding by mcgrew · · Score: 2

    Yes, which is why I installed Thunderbird. I now still have my old 10+ year old email address and a stable email client. My phone's email client works well with the yahoo email as well.

    Just install a real email client and your problems vanish.

    --
    Free Martian Whores!