Yahoo Fixes Bug That Could Compromise Email Accounts When Opening an Email

An anonymous reader writes: Yahoo! has fixed a cross-site scripting bug that would have allowed attackers to fully compromise email accounts just by sending a malicious email. To lose control over their accounts, victims needed only to open the email. The researcher who discovered the bug said, "The code would be automatically evaluated when the message was viewed. ... We provided Yahoo with a proof of concept email that would forward the victim user's inbox to an external website, and an email virus which infects the Yahoo Mail account and attaches itself to all outgoing emails. The bug was fixed before any known exploits 'in the wild.'" Yahoo!'s bounty program awarded $10,000 for the research.

Does anyone still use Yahoo email?

[QuietLagoon]

At this point, I'd almost rather have an @aol.com address than an @yahoo.com address.

Re:Does anyone still use Yahoo email?

[gstoddart]

I have one because of my ISP. I know people who have had their Yahoo address so long they keep it out of sheer inertia.

To me this comes down to the fundamental problem: why the hell do we keep trusting websites to run arbitrary scripts? And why the hell do we trust 3rd party scripts in web pages?

So some greedy bastard can give you an ad?

The average Yahoo user likely doesn't use script blockers, and isn't going to start out blocking them only to whitelist what they want.

I can barely convince my wife to keep using the script blocker I've put into her Chrome to block all this shit.

At this point, the entire web has been written on the moronic assumption that people should just let everything run, which leads to stuff like this.

What we need to do is look at this stuff, and remove the default trust ... and what the ad and analytics companies want be damned. They're as much part of the problem as anything, and as often as not they end up serving up the malware in the first place.

Yes, Yahoo has some stuff they need to fix ... but I don't see this as being any more vulnerable than what your average web page expects you to do.

Re:Does anyone still use Yahoo email?

More than you'd suspect. AT&T was using Yahoo to provide email services for their DSL customers.

Re:Does anyone still use Yahoo email?

I have one because of my ISP. I know people who have had their Yahoo address so long they keep it out of sheer inertia.

To me this comes down to the fundamental problem: why the hell do we keep trusting websites to run arbitrary scripts?

Because it's a free service, you cheap bastard.

And why the hell do we trust 3rd party scripts in web pages? So some greedy bastard can give you an ad?

Yes, because that "greedy" provider on the other end has to have some ability to pay for the service they're giving away for free to cheap bastards like yourself.

The average Yahoo user likely doesn't use script blockers, and isn't going to start out blocking them only to whitelist what they want.

I can barely convince my wife to keep using the script blocker I've put into her Chrome to block all this shit.

That's OK, I can barely convince people that the concept you get what you pay for is still a valid one, you cheap bastard.

At this point, the entire web has been written on the moronic assumption that people should just let everything run, which leads to stuff like this.

At this point, no one on the internet thinks that online services like email should be anything but free, leading to a moronic web built by and for cheap bastards.

What we need to do is look at this stuff, and remove the default trust ... and what the ad and analytics companies want be damned. They're as much part of the problem as anything, and as often as not they end up serving up the malware in the first place.

Yes, Yahoo has some stuff they need to fix ... but I don't see this as being any more vulnerable than what your average web page expects you to do.

What we need to do is look at society and start understanding that "free" has some significant cost to it for all of us. Unfortunately, it's not likely to do much good. I didn't expect the world to be so full of cheap bastards...

Re:Does anyone still use Yahoo email?

Adblocker Plus has an option to allow unobtrusive ads. This is the right balance. I will use your free service and accept the ads you serve up that don't compromise my security with shifty javascript, and that don't behave obnoxiously in order to forcibly tear my attention away from what I care about.

I am not a cheap bastard for wanting the ads that pay for my services to be safe and unobtrusive. Of course, I am not the OP either.

Re:Does anyone still use Yahoo email?

[Irate+Engineer]

I got a Yahoo email when they first came out, before Gmail was a thing. It makes a great honeypot email address for websites that need a legit email to work (FYI - My corresponding name is John Doe and I live at 123 Fuckoff St., Anywhere, Zimbabwe). I sure as hell don't bother logging in to open or read anything in there - I'm sure there is crap in there that would make Goatse look suitable for the cover of a mother's day card. When (not if) Yahoo finally gasps its last and dies, I'll be sad for the whole two seconds it takes to set up a new throw away account.

Re:Does anyone still use Yahoo email?

[ShaunC]

They still are; my ancient @bellsouth.net email address was migrated to the att.yahoo.com interface a few years ago.

Re: Does anyone still use Yahoo email?

Ditto for my Ameritech dot net email.

Why bother?

[xxxJonBoyxxx]

>> Yahoo!'s bounty program awarded $10,000 for the research.

That's probably less than the company's daily coffee budget. Why not just sell it to the highest bidder instead?

Re:Why bother?

[phishybongwaters]

Because not all of the skilled and talented people out there are asshats willing to sell out security to make a quick buck?

Re:Why bother?

[kimvette]

For yahoo mail? really?
Why would blackhats buy an exploit for an email provider with a userbase of 3?

Re:Why bother?

Ha! Corporations love the free market until they don't! Must be nice to get all the benefits of being a person under the law without all those messy morals and conscience.

Amount of people

[110010001000]

The number of people affected were 5 of the 11 people who still use Yahoo! mail.

Re:Amount of people

[campuscodi]

Yahoo says they still have 300 million.

Re:Amount of people

[110010001000]

I'm sure that is really accurate. Margin of error is 99.99999%

Re:Amount of people

[Penguinisto]

Prolly counting the spam-trap and inactive email accounts that folks have 'ginned up since it opened...

Re:Amount of people

Lots of people still use Yahoo mail. They're mostly over the age of 50.

Seriously, every time I work on an older person's computer, 9 out of 10 use yahoo email. I even did work for a township office which used Yahoo mail for all their business dealings. And one of the incidents I helped clean up was an infected email that exploited Yahoo's web interface to infect the computer silently, no need to click on an attachment. It's good to see they're actually trying to fix their stuff, but from what I've seen they've got a long way to go.

People like us don't use Yahoo because we know better, but there are lots of people out there who don't.

Now how am I going to get my ex-gfs nudes?

[raymorris]

This fix will make it harder to get my hot ex-gf's nudie pics.

Re:Now how am I going to get my ex-gfs nudes?

[climb_no_fear]

Always make backups, preferably to an insecure cloud service.

Re:Now how am I going to get my ex-gfs nudes?

Slashdotters will send you copies.

Hey, it's the least we can do for a bro.

They have not fixed the bug.

This has been said a million times before but...

Why on Earth is an email reader running any code that happens to be in an email message?

The bug is that the email reader does not just display the raw ASCII text of the message.

I bet they have not fixed that.

Re:They have not fixed the bug.

because emails are not just raw ASCII... HTML is rapidly becoming more popular... and in an HTML reader this can easily happen.

Asshats?

$10,000 is 50 man hours - roughly. So, unless it took less than that to discover the bug, then it's not economically viable with US workers.

And when you consider the potential economic damage that could be caused to Yahoo! if this bug were exploited by people with nefarious intent, $10,000 is downright pathetic.

Whatever, I'm sure everyone will disagree with me because techies have the money sense of a teenager.

Re:Asshats?

For one, the researcher is out of Finland, not the US.

Also, depends on where you work. Maybe you can bill yourself $200/hr in SF, but where I am, you'd be lucky to get $20/hr, and 500 hours could be 3 months depending on how many hours you work some places.

This is quite an improvement

I stopped using Yahoo webmail when I found out that XSS would allow your account to be hijacked if you were merely logged in while viewing a site that included a malicious script.

Thanks, Marissa!

and we've had ads without scripts since forever

[raymorris]

Ads are how we've decided that web-based services are paid for, given the lack of convenient and efficient micro-payments. However, you don't need scripts to have ads. Static images or even text work just fine. Hell, ads printed in ink on paper have paid for newspapers for a hundred years or more. So to whatever extent ads are needed to pay for "free" web sites, that does NOT imply that third-party scripts are required.

cock.li has "http://horsefucker.org/" free email

for reals.

POP/IMAP Affected Also?

[bughunter]

I take it you have to run a script in the email while reading it with the Yahoo web client open, so using a local client is safe. (I don't open mail from people I don't know anyway... and even then, scripts and images are disabled in my client.)

I was able to get myfirstname.mylastname@yahoo.com, so not only do I still use it, but I pay $20 annually for IMAP/SMTP access. I use Thunderbird or iOS Mail to read my mail and only rarely and occasionally use the web client to read mail.

However, their stupid security settings require that I sign into the web client every two weeks to re-enable IMAP.

Re: POP/IMAP Affected Also?

[Woldscum]

How are they going to serve you adds?

Re:POP/IMAP Affected Also?

[grim4593]

I just checked my Thunderbird settings and I use IMAP and SMTP access with my Yahoo account and I don't pay $20/year or log in monthly.

Re:POP/IMAP Affected Also?

[bughunter]

Interesting. Thank you for that info.

Is that for a mobile device only or do you use a PC-based client?

Re:POP/IMAP Affected Also?

[grim4593]

This is on a Windows 10 desktop using Thunderbird. I use my @yahoo.com email and password:
imap.mail.yahoo.com Port:933 SSL/TLS, normal password
smtp.mail.yahoo.com Port:465 SSL/TLS, normal password
My android phone uses the same settings.

Would the attack have worked with NoScript enabled

[iMadeGhostzilla]

... assuming only the yahoo domains were allowed?

Pay for email

[Blaskowicz]

Like everyone everywhere is able to pay recurring fees for every little thing, yearly or monthly for decades on.

If you could get something like a lifetime subscription for mail at $100 I guess many would sign up (includes a choice of webmail like roundcube, squirrel etc.)
Perhaps $50, perhaps long term (20 years or delete after 5 years you didn't log in)

We're not only not willing to pay. Once you're paying for email, you have to keep paying (and have a valid debit card or banking account, etc.).
You may pay for a domain name, perhaps have some redirection trickery going on so conceivably it would be no big deal to lose that email service. But then, here's your domain recurring fee and renewal. It feels like hackers and tech companies have trouble renewing their domain (perhaps the rule of domains is if you get a domain, then you forget about it till the last minutes). So imagine your grandma paying recurring fees she doesn't know how to cancel, AND she lost her domain.

I'll even pay for an email service that doesn't support html and discards pictures, if you let me pay once and only once.

Astounding

[JustAnotherOldGuy]

Yahoo, a multi-million, possibly billion dollar company can't secure their own goddamn webmail, and this is after having ~20 years of experience in being an email provider.

Fucking fabulous, great job guys, you da man.

Re:Astounding

[antdude]

It is not the same Y! as before. :/

Is Yahoo owned by Microsoft?

To lose control over their accounts, victims needed only to open the email. The researcher who discovered the bug said, "The code would be automatically evaluated when the message was viewed. ...

Hmmm, I thought this kind of crap only happened with Outlook.