Yahoo has made strides in battening down its security in the last 12 months, most publicly with its decision to enable end-to-end encryption for its email service, turn on SSL by default, and encrypt links between its data centers. There are still some darkened corners of its infrastructure, however, that merit attention.
White-hat bug hunter Jordan Milne this week disclosed a problem with a loose cross-domain policy for Flash requests on Yahoo Mail that put email message content, contact information and much more at risk. Milne said the weakness is relatively simple to exploit and puts users at high risk for data loss, identity theft, and more.
Milne, a Canadian security consultant, said Yahoo patched one issue related to a specific .swf file hosted on Yahoo’s content delivery network that contained a vulnerability that could give an attacker complete control over Yahoo Mail accounts cross origin, Milne said. While the patch fixed this specific issue, the larger overall configuration issue remains, Milne said, meaning that .swf files hosted outside the Yahoo CDN and on another Yahoo subdomain could be manipulated the same way.
“I don’t know why Yahoo! originally created such a lax cross-domain policy for Flash requests on YMail,” Milne told Threatpost. “I’m betting there are weird legacy reasons, like 10 years ago they used a Flash-based uploader for mail attachments, and someone decided that they were better off allowing every subdomain of yahoo.com to make cross-domain requests in case they decided to move stuff between domains. It’s not easy to restrict those rules when they’ve been in place for so long though, because you risk silently breaking things.”
Milne wrote up the technical details on his personal website. He received a $2,500 bounty for reporting the vulnerable .swf file, but he cautions Yahoo there could be deeper trouble.
“This particular .swf has been fixed, but I’m sure more vulnerable .swfs exist. Those .swfs will be a threat to YMail until the crossdomain.xml rules are tightened up,” Milne said. “The crossdomain.xml rules also open users up to active [man-in-the-middle] attacks, because they all have `secure=”false”` flags. That flag means what it says, insecure resources served over HTTP may access the HTTPS site cross-origin. Adobe specifically recommends against using it as ‘this compromises the security offered by HTTPS.'”
A hacker could host a malicious .swf and entice the user via a phishing email or watering hole attack to visit the site in order to trigger the exploit.
“Once you have control of someone’s email, you have the keys to their digital life. You can silently trigger password resets for all of their accounts, pull the reset tokens right out of their emails, then change the recovery emails on the accounts so the victim can’t get them back,” Milne said. “You can read out their contacts, and send out mass emails as the victim to try and convince their contacts to visit your infected page. Obviously, you can also read their private email.”
Milne said Yahoo hosts thousands of “forgotten” .swf files on subdomains, many of those also likely forgotten. Those files could also be vulnerable to similar exploits, he said, adding that the lax crossdomain.xml rules are the real problem.
“They make the attack surface for YMail much wider than it needs to be, in my opinion, and allowing content on unrelated sections of Yahoo! to pull data from YMail without restriction just leads to odd vulnerabilities,” Milne said.