Yahoo has fixed a serious cross-site scripting vulnerability in its webmail product that could’ve allowed an attacker to take over a victim’s email account with one malicious email.
The bug is a specific kind of cross-site scripting vulnerability known as stored XSS. In order to trigger it, an attacker would only need to send a single email with the malicious code in it. If the user opened the message, the code would execute without any further interaction from the user.
“We provided Yahoo with a proof of concept email that would forward the victim user’s inbox to an external website, and an email virus which infects the Yahoo Mail account and attaches itself to all outgoing emails. The bug was fixed before any known exploits ‘in the wild’.”
The root of the problem was in the way that Yahoo’s mail system filtered potentially malicious code in HTML mail messages. In some instances, bad HTML code could slip through Yahoo’s filters.
“As a starting point for our investigation, a message containing all known HTML tags and attributes was created to see which of them the Yahoo filter lets through. After viewing the resulting email on Yahoo Mail, we noticed that if certain, supposedly “boolean” HTML attributes were given a value, the value was removed by the filter, but the equals sign was not,” the advisory says.
“This may seem pretty harmless on the first look, but web browsers handle this case rather unintuitively: this is interpreted as CHECKED having the value NAME=”check, plus the tag containing a third attribute named box without a value. The behavior is based on the HTML specification which allows “zero or more space characters” around the equals sign in an unquoted attribute value. The confusion can be exploited to insert unrestricted HTML attributes in tags that allow a ‘boolean’ attribute.”
Yahoo paid the researcher who discovered the vulnerability a reward of $10,000.
Image from Flickr stream of Martin Lafrance.