Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Yahoo! XSS Flaw Endangers its Users

Posted by CowboyNeal on Fri Jun 15, 2007 02:16 AM
from the ever-vigilant dept.
Yahoo! Security IT
Rarely Greys writes "A major Yahoo XSS flaw makes it possible to take over any Yahoo user's account, including their mail, instant messaging, photos, etc. This is not a rare occurrence. So why aren't web sites doing more to protect their users? It's looking like most web developers don't even know or care about XSS."
This discussion has been archived. No new comments can be posted.
Yahoo! XSS Flaw Endangers its Users | Log In/Create an Account | Top | 157 comments | Search Discussion
Display Options Threshold:
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • Responsible disclosue? (Score:4, Insightful)

    by starwed (735423) on Friday June 15, @02:21AM (#19516185)
    There's no information here about whether Yahoo has been contacted about this (and their response if so.)

  • I fail to see how is this related to XSS (Score:3, Interesting)

    by wumpus188 (657540) on Friday June 15, @02:35AM (#19516251)
    And, if I'm reading his code right, to get this to work one must have 'third party cookies' allowed in the browser... Most sane browsers have this OFF by default.

  • Talk about an exploit... (Score:2, Funny)

    by C10H14N2 (640033) on Friday June 15, @02:36AM (#19516253)
    What the hell are "Penis painted" bars? /Useless without pics

  • Ouch.. (Score:2)

    by zaunuz (624853) on Friday June 15, @02:42AM (#19516269)
    I would fall into the category of developers who did not know about this threat. How would i go about protecting the users? are there any simple guidelines that would make XSS-attacks impossible?
    • Re:Ouch.. by Don_dumb (Score:2) Friday June 15, @02:55AM
      • Re:Ouch.. by Trails (Score:2) Friday June 15, @09:52AM
        • Re:Ouch.. by Don_dumb (Score:2) Saturday June 16, @07:24AM
      • 1 reply beneath your current threshold.
    • Re:Ouch.. by Capt'n Hector (Score:2) Friday June 15, @02:58AM
      • Re:Ouch.. by zaunuz (Score:2) Friday June 15, @03:04AM
        • Re:Ouch.. by Fireflymantis (Score:3) Friday June 15, @03:21AM
          • Re:Ouch.. by zaunuz (Score:2) Friday June 15, @04:12AM
          • Re:Ouch.. by Capt'n Hector (Score:2) Friday June 15, @04:16AM
            • Re:Ouch.. by protohiro1 (Score:2) Friday June 15, @11:43AM
            • 1 reply beneath your current threshold.
          • Re:Ouch.. by Licky Lindsay (Score:1) Friday June 15, @09:35AM
        • Re:Ouch.. by ensignyu (Score:3) Friday June 15, @03:50AM
          • Re:Ouch.. by zaunuz (Score:3) Friday June 15, @04:15AM
            • Re:Ouch.. by J0nne (Score:3) Friday June 15, @04:39AM
              • Re:Ouch.. by zaunuz (Score:2) Friday June 15, @05:03AM
              • Re:Ouch.. by J0nne (Score:2) Friday June 15, @06:22AM
              • Re:Ouch.. by zaunuz (Score:2) Friday June 15, @08:27AM
            • Re:Ouch.. by nherc (Score:2) Friday June 15, @08:04AM
          • Re:Ouch.. by oglueck (Score:2) Friday June 15, @09:30AM
      • Re:Ouch.. by Goaway (Score:2) Friday June 15, @06:43AM
        • Re:Ouch.. by zaunuz (Score:2) Friday June 15, @08:25AM
          • Re:Ouch.. by Goaway (Score:2) Friday June 15, @08:26AM
        • Re:Ouch.. by Goaway (Score:2) Friday June 15, @03:04PM
        • 1 reply beneath your current threshold.
    • If you want to secure your systems, make sure you do not allow userinput with certain tags (assuming this input is displayed later on in a html page).

      Tags like script, iframe, link, style, embed, object _MUST_ be stripped in an untrusted environment. why you may ask: script, iframe, link allow external references (for example injection of code of remote sites which you can not easily check).

      script itself is the most evil tag because it allows an attacker to access any element in a page, modify it and inject further remote scripts not stored on your server.

      ie interprets javascript and vbcode in style tags /me *shudders* (not sure if this is still true in IE7, in quriks-mode however i am pretty sure this still works in ie7 and non standard compliant mode AKA quirks-mode is the default for most IE only or IE targetted sites).

      embed and object tags are used to insert java and activeX code, I guess I do not have to say much about those two techniques, it's again about inserting remote code at runtime.

      iframe is, by nature, a fairly secure tag. it can not harm the users page much but it can be used to trick the user in believing to be on another page/site or trick him in any other way. plus, many IE versions had security holes where scripts could travel up from iframe into its parent document to manipulate data from another domain (crossite ;)

      There might be some potentially evil tags missing in my list, this is just from the top of my head.

      I usually go the other way, instead of restricting tags i define a white-list of tags which are useful for formatting reasons such as strong, em, front, etc. this seems to be a much more controllable way.

      HTH,
      -Simon

      [ Parent ]
    • Re:Ouch.. by trianglman (Score:2) Friday June 15, @07:48AM
  • As a web developer myself, I try dillagently to kill off any XSS attacks by writing good secure code, but there will always be a few corner cases in any non-trivial application that one does not count for. This is doubly so when dealing with web services that have to pump out huge amounts of data over an insecure medium.

    What is most showing is how fast it will be till Yahoo fixes this vunerability as a sign of their metal.

    imho...
  • Could it be that web developers have to create Web 2.0 applications that take all sorts of evil input? How do you make blogs, tags, message boards, and things 100% safe? I wish security researchers would create a proof of concept site that was a REAL web application to show best practices. Sure there are projects like http://www.owasp.org/ [owasp.org], but their example code is near useless for most languages they have up.

    Think about the input needed for a comment box. You have to deal with i18n issues. UTF-8 or UTF-16 is a very big character set. You can't explicitly block everything and then white list selectively very easily with such a big character set.

    Some people think bbcode is the solution for some types of sites. I haven't seen too many implementations of bbcode for languages other than PHP that are open source and reusable.

    Can someone point me at resources for Java and .NET development? I don't use PHP very often. Are there any resources for other languages like perl, python and ruby?

    I'd personally love to get a library to do safe HTML input while stripping any dangerous tags in Java that is reasonably reusable.

  • Idiot Consumers? (Score:1)

    by Belacgod (1103921) on Friday June 15, @02:51AM (#19516311)
    If I read right, you have to click on a long link, whose destination is nonobvious, to activate this. That restricts this, like most other internet security threats, to the (multitudes of) total idiots. Am I reading TFA wrong?

    • Re:Idiot Consumers? (Score:4, Insightful)

      by Fireflymantis (670938) <(martin) (at) (remote.net)> on Friday June 15, @03:01AM (#19516353)
      (http://remote.net/)
      more correctly (If I read the overly pink article right), it is the reliance that someone will click on something like this:

      ----
      OMG! Check out this funny search!

      "French military victories"
      <a href='evilsite.com/haxzoryouryahoo.cgi'>http://sea rch.yahoo.com/search?p=french+military+victories$l t;/a>

      HAHAHA! Couldn't stop laughing...
      ----
      [ Parent ]
    • 1 reply beneath your current threshold.

  • Web developers know not enough about security (Score:4, Insightful)

    by PsyQo (1020321) on Friday June 15, @02:52AM (#19516315)
    In my opinion web developers just don't know enough about security.

    They know how to store and retrieve data from a database, but they don't know why it's important to escape strings before they go to into a SQL query (or better: use parameterized queries). It happens too often that when you see some page: view.php?id=23 and you change 23 to 23', it returns an error. Although a lot of developers are 'saved' by PHP's magic quotes, it isn't a silver bullet.

    Even less web developers seem to know about XSS and how to prevent it.

    Web security should get a lot more attention in web developer education, from SQL injection to XSS to salted hashes.
  • The real problems today are using ActiveX in Internet Explorer.
    Believe it or not, most malware,spyware,viruses spread to the user via Internet Explorer ActiveX.

    Although users are prompted to click yes or no, the default user will click yes anyway, and that's even a bigger problem.
  • It's not a shame to admit you know zilch about XSS. But at least use a library/package/class or something which prevents these flaws. For instance for the PHP developers, there is HTML_Form [php.net], which includes a unique hidden form field each time a form is generated thus preventing some XSS.

  • Here's Why. (Score:5, Insightful)

    by Anonymous Coward on Friday June 15, @03:24AM (#19516477)
    Well, my take (multiple major webdev projects on the go NOW)...

    1. MOVING TARGET

    A lot of webdev security issues (DB input, etc.) are moving targets.

    For example, take database input. Ten years ago, for many (beginning) developers, escaping quotes and backslashes manually was considered fine. Later developers had database libraries that provided these functions natively. All of a sudden, unicode came along. Suddenly you had to worry about extra characters. This was another step - for example, for developers using MySQL, it was pertinent to change all of your escape functions to a new, unicode-aware one.

    With everything else on their plate, even if they're single-language developers, auditing old code to maintain current security best practice falls somewhere at the bottom of the todo list, between 'get some exercise' and 'catch up on sleep'.

    2. EXPECTATIONS RISING

    As individual leading sites like google's gmail or google earth appear, expectations from clients increase. Web developers have a hard time keeping up with meeting all of the new 'standard features' that are expected, and are often implementing certain aspects for the first time, relying on either poorly audited code (random downloaded scripts) or writing their own with insufficient time for testing and security auditing.

    3. NEW OR RAPIDLY ELEVATED ISSUES IN WEB SECURITY

    In the last ten years, issues have appeared such as:
      1. Public tools and worms that can easily attack custom-made applications, rendering some older, unmaintained code more readily exploitable. (This is just another time pressure, and security is all about the combination of resources for the attacker and defender... not just technical know-how on either side.)

      2. Cross site scripting... this is quite a complex issue and is not understood by all developers.

      3. A large number of scripting languages, which are constantly being updated and take a lot of time to stay up to date with. For example, most web developers are not really competent with javascript/ecmascript...

      4. Browser or other 'out of web developer control' bugs can make different tags or features dangerous 'at short notice'.

      5. AJAX and web services, which emphasise providing structured, easily-accessible data to the public, make data scraping (ala screen scraping) that much more of a real and widespread threat. As of today, most developers still do not take this threat seriously.

      6. Denial of service attacks.

      7. New expectations of server-side image (or web services data) processing can expose extra code (often legacy tools, or tools in entirely new languages) to potentially hostile input.

    4. GENERAL PROGRAMMING ISSUES

    Add to the above the standard pressures that lead to security shortfalls:
      - Web developers, like other programmers, are often lumbered with unrealistic delivery timeframes.

      - A lot of webdev is single-developer stuff, not completed in teams. As only one person reads the code, errors are less likely to be spotted.

      - Most webdev projects have no budget for code auditing as close-to-secure code is often merely a desirable part of the overall bundle, not a steadfast client requirement...

      - Webdev people often aren't client facing. In today's highly comepetitive webdev market, client facing salespeople perhaps don't know enough about code security to sell it as a budget-worthy extra.

    5. CLIENTS DONT CARE

    They want a working site, not a working site with n^m behind-the-scenes feelgood features they have to take at face value and have no way to 'see', 'show the boss' or otherwise justify.

  • XSS? (Score:2, Funny)

    by bar-agent (698856) on Friday June 15, @03:28AM (#19516493)
    What's XSS?

    Eh, never mind. I don't really care.
    • Re:XSS? by RuBLed (Score:2) Friday June 15, @03:53AM

  • pop3 (Score:1)

    by Aliriza (1094599) on Friday June 15, @05:35AM (#19516895)
    (http://ktservis.com/)
    hotmail has a flaw , it seems that old yahoo has a flaw too , I think we are going back to old pop3 accounts at least the control will be in our hands.

  • Paris Hilton?! (Score:2)

    by tsa (15680) on Friday June 15, @06:27AM (#19517063)
    (http://www.tjerkstra.org/)
    I stopped reading right after the bit about Paris Hilton. If you need her to keep your audience reading your article then either you are a bad writer or I am not the target audience.
  • The exploit is simply sending an email a link that posts to a fo via JavaScript

    On top of that it relies on posting a form to an external domain; such a thing gives a nasty warning in Firefox.

    This really has nothing at all to do with XSS, you can do this with any email client that has HTML mail.

  • Are XSS flaws overrated? (Score:3, Insightful)

    by Vexorian (959249) on Friday June 15, @07:50AM (#19517705)
    There is certainly no excuse for web developers not to validate output correctly, but how big of an issue XSS actually is? This one vulnerability requires you to make an user click an odd link, and it took yahoo almost no time to fix it, how many hackers are so good at social engineering that would be able to take advantage of this?

  • developers: simple solution (Score:2)

    by brunascle (994197) on Friday June 15, @08:07AM (#19517833)
    there is a very simple solution to XSS this that is rarely followed:

    never, i repeat, never print out a user-editable string variable directly to a web page. send every single one through a function that, at the very least, replaces all '<' and '>' to '&lt;' and &gt;

  • Rules of Thumb? (Score:2)

    by Slashdot Parent (995749) on Friday June 15, @08:48AM (#19518243)
    Are there any rules of thumb that can be used to stop XSS hacks for those of use who just want to write secure code but don't really feel like becoming experts in XSS?

    For instance, it is trivial to protect yourself from SQL Injection hacks. Just use substitution variables:

    SELECT first_name, last_name FROM users WHERE userid=$in_userid
    would become

    SELECT first_name, last_name FROM users WHERE userid=?
    And then just set that variable. Magic, no SQL Injection possible (as long as you trust your DB libraries!).

    Is there a similar way to insulate yourself against XSS so we can just go back to writing code that doesn't suck?

  • Bottom line: Developers don't care (Score:3, Interesting)

    by MobyDisk (75490) on Friday June 15, @08:55AM (#19518325)
    (http://www.mobydisk.com/)

    It's looking like most web developers don't even know or care about XSS
    I think the summary was trolling, but even so they got it dead on.

    I've worked on several web projects over the years, and I've never met a single developer who even knew or cared about XSS. In all of those projects none of them, other than myself, bothered to even escape strings when sending out to HTML. In some cases, they will go out of their way to _not_ escape them. Like in ASP.NET, using HTML literal controls (which don't escape HTML content) instead of using text controls (which do). The reasoning was that the .000001% optimization it provides is more important than the risk of a security problem.

  • XSS in real life (Score:1)

    by sm8000 (780163) on Friday June 15, @11:57AM (#19520997)
    Bet you never thought it could create a stir in forum drama and politics. At the web's largest tech forum, no less. This is from last October: http://www.pictars.com/users/sm8000/ATMod1280.jpg [pictars.com]

  • Not the fault of developers (Score:1)

    by holophrastic (221104) on Friday June 15, @02:15PM (#19523093)
    It's not the developer's fault that security problems like these appear. I promise -- in general developers do what they're told. How many carpenters are responsible for the insulation in your home? What about the alarm systems? Welcome to multiple jobs and multiple persons.

    But it's a lot more than that. First off, what idiot thinks that if you avoid XSS, you're secure? Unless you're willing to drop everything and analyze hundreds of security issues, plugging one hole doesn't do anything at all. So the decision is not whether or not to plug XSS, it's whether or not to care about security. In the business world, that translates into "how much should we care about security" or "how much time/effort should go into security".

    It's the same thing with your car -- in fact, it's identical. Does your car have air bags? I'll bet it does. Does your car have seat belts? I'll bet it does. Funny thing though -- F1 cars have neither. We've all seen racing with cars flipping, burning, and drivers walking away unscathed. Does your car have a roll-cage? What about a four-point harness? Why not? Simple: not worth the trouble. How many car injuries would be solved with harnesses? You'd have to ignore the injuries from people driving off of a cliff -- which people do. People like to die.

    Back to the business decision of how much time to spend on security. That too gets translated quickly in teh business world. Now it's: "what's more important, this big feature over here, or this security hole over there?". And again, the reasoning is pretty clear:

    New application feature: brings more business, looks good, more usability, first to market, can charge for it, innovation, patents, competitive edge.

    Block security hole: there is just going to be another one, new application features create code flux that solves security holes by accident anyway, it's a performance loss, keeping them open doesn't guarantee that anything bad will happen, no one notices when you're site is more secure, and ultimately the only point of security in these cases is to hinder malicious criminals. Malicious criminals are at fault and responsible for their actions. What's more, you're never going to stop Ethan Hunt no matter how many security holes you plug.

    I'm not against security -- if for no other reason, security breeds reliability: something computers frequently don't have. But to get caught up in security at the cost of everything else is just silly. Obviously, air-craft control, nuclear reactors, and space-based lasers are exceptions -- that's why my software licences explicitly prohibit my web portals from being used to control the shuttle. But when it comes to your geocities web-page listing your favourite books, top-level security is just plain stupid. Even when it comes to your credit card, you aren't responsible for fraudulent charges. And when it comes to your bank account, banking actions can be easily reversed.

    So you're left with the nuisance of having to get new credit cards, or be bothered with your bank. It's annoying, and it can be devastating, but it's not dangerous. In my mind, that means it warrants security level two -- not one. So come up with what you believe is security level one, and then drop it down a few notches for your bank. Drop it down more for your e-mail. Drop it down all the way for your geocities account. And keep in mind that no one cares about your favourite books.

  • Since other bugs in yahoo make it mail me a new password in an e-mail which is not the one I get my (yahoo) mailing lists delivered to, and no other way to restore access to my account.

  • Re:suck it firefox (Score:2)

    by Vexorian (959249) on Friday June 15, @07:45AM (#19517651)
    I know you are a troll, and firefox is totally secure but either way:

    There is no excuse in using anything other than konqueror.
    How about I don't use KDE?
    [ Parent ]
  • 6 replies beneath your current threshold.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.