Security holes in Hotmail, Yahoo, and other webmails

[FozZy <FozZy () dmpfrance com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[submitted to BugTraq -> no answer : yeah, if every hotmail hole was 
reported to bugtraq, this could be a DoS against the moderator. However, 
I'm sure some Yahoo's bugs affect other web apps and should be interesting 
for the security community and developpers. ]

OVERVIEW

Most webmails services and applications have huge security holes on the 
client side.
On Hotmail and Yahoo! Mail, execution of malicious javascript and HTML code 
was possible. There were flaws in the HTML filters, and cross-site 
scripting vulnerabilites. When an evil HTML message was read, it could 
delete emails, launch a webmail worm, steal the session cookie to allow a 
third party to gain unauthorized access to the mailbox, etc.
On Yahoo! Mail, it was also possible to automatically manipulate and modify 
some parts of the user's mailbox, without use of javascript. This problem 
is likely to exist on other web services.


USERS PROTECTION

Since these kind of vulnerabilities are NOT new, and a new hole is found 
every 6 months, it seems right to say that webmails are not safe at this 
time, even if these particular bugs on these particular sites are fixed. 
So, users should not use webmails for important or private datas. They should:
- - disable Active Scripting (sadly, many webmails need javascript to 
operate properly).
- - disable automatic image loading.
- - view messages in plain text rather than in html, if possible.
- - never click on a link submitted in an email, even if it is to a trusted 
website.
- - not rely on webmails as a safe place to store data. Do a backup.


TECHNICAL DESCRIPTION

- -- Hotmail

There was a huge flaw in the Hotmail filtering system, when parsing HTML 
messages like:
<script> (...) </script>

it becomes :
<COMMENT>
<!--
(...) (NOT PARSED BY FILTER)
//-->
</COMMENT>

It looks right. BUT, look at this code:
<script>
- -->
</COMMENT>
<img src="http://none";
onerror="alert(document.cookie);window.open(www.fakelogin.screen);">
</script>

After the filtering process I got this:
<COMMENT>
<!--
- -->
</COMMENT>
<img src="http://none";
onerror="alert(document.cookie);window.open(www.fakelogin.screen);">
</COMMENT>

And Javascript is executed automatically when viewing the message ! Even if
autoload of images is disabled, there are many other ways to execute
javascript, or insert bad HTML code, since this code is not parsed by the
filter. WoW. So simple and so powerful.

- -- Yahoo! Mail

a) Failure of the html filter to handle a malicious attribute value in HREF 
tags.

The 'target="_blank"' added by Yahoo when parsing HREF tags can be 
neutralized by adding an attribute value containing a '>' character. This 
is a variation of the trick Mark Slemko published on vuln-dev, February 2000.
This allowed the link to be opened in the same page. Javascript could then 
run in the mail.yahoo.com domain, because the "javascript" string was not 
filtered in HREF tags ! (I don't know what was the use of allowing that).

<a href="javascript:...">link</a>
  become
<a href="javascript:..." target="_blank">link</a>
  harmless
BUT
<a href="javascript:..." foo="bar>link</a>
  become
<a href="javascript:..." foo="bar target="_blank">link</a>
  harmful when clicked by user !

b) GET == POST

The user usually navigate through his mailbox by clicking on FORMs (POST 
method). But, if the parameters values are supplied in a link with the GET 
method, Yahoo cannot say the difference and accepts the input.
This is not a problem in itself but makes things much easier for the 
following c) and d) security holes...

c) Cross-site scripting

Cross-site scripting vulnerabilities on the yahoo.com domain was reported 
six months ago on Bugtraq by mparcens () hushmail com. (see 
http://www.sidesport.org) This allows a javascript code to steal the 
session cookie and send it over internet to a CGI script, which could then 
gain access to the mailbox of the user without knowledge of his password. 
My tests show that no check on the IP adress of the user (or the HTTP 
headers) is performed.

I found that many web pages was still vulnerable to cross-site scripting on 
*.yahoo.com.
For instance, in the mail.yahoo.com domain, the compose page and the 
signature page did not convert special characters in HTML entities in the 
"textarea" fields. So, they were vulnerable to posting data containing 
something like : "param=</textarea><script>bad code</script>".
This "bad code" could steal the session cookie or manipulate the mailbox 
since it is exactly in the same domain.

However, this vulnerability still needs that the user click on an evil link 
in a message. But, since it is a link to yahoo.com, it could be trusted by 
the user.

d) Automatic manipulation of mailbox

It was possible to perform many actions on the mailbox by posting data to a 
predictable URL, without need of giving a particular random string (this is 
now fixed). Associated with b), it was possible to automatically modify 
some preferences of the user (like the Reply-To address, the signature...), 
delete all messages in the Trash Folder, and so on. All of these without 
use of javascript, and without user interaction.

The association of b), c) and d) holes could be exploited with the 
following scenario (they are many others):
- - User reads an email with a malicious <img 
src="http://mail.yahoo.com/Preferences?foo=bar_with_css_javascript";>. 
Javascript code is inserted into the preferences of the User [b][d]. User 
notices nothing.
- - Later, user opens his Preferences web page.
- - Javascript is executed [c], showing a fake Yahoo "re-enter password" page.
- - Password is stolen and sent to a third party on Internet.
- - The preferences page is opened.
- - User is unaware the integrity of his account has been corrupted.

ATTACHED: the message I used to test Yahoo's bugs.

VENDOR STATUS

12/04: Microsoft informed.
12/11: Hotmail problem fixed. Very nice, very quick. Thanks !

12/04: Yahoo France informed.
12/07 : Yahoo USA informed.
12/13: Most Yahoo! Mail problems are fixed.
12/23: I have no news from them about the few bugs that remain.


MORE IS COMING

I will publish a technical security paper explaining known vulnerabilities 
and tricks used to bypass protections of webmail services. It will help to 
perform audits, will increase the users and developpers understanding of 
these problems, and (hopefully) will open the way to a better privacy.
Due to the fact that 80% (if not 100%) of webmails services and 
applications seem to have serious security problems, I suggest that 
webmails developpers send me their certified PGP key so that I can give 
them this text, before I release it to the public on BugTraq and in <ad> 
"Hackerz Voice International Edition" (http://www.dmpfrance.com)</ad>.
Note that the scope of these vulnerabilities is not limited to webmails.


Thanks to: Uzy.

Regards,

    FozZy

Independant security consultant
fozzy () dmpfrance com
Hackademy member of staff, Paris.
http://www.dmpfrance.com


-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBPCaqNRr0kU1q7chOEQLP2gCfRF4wUbbJrl52GIqS1piHd3qnlwUAnicp
0ICJ4GJALm/nCfJuDYGHjzaA
=EAoJ
-----END PGP SIGNATURE-----

Attachment: TexteMailHostileYahoo.txt
Description: