Yahoo mail storage type XSS vulnerabilities, hackers can look at anyone's mail-vulnerability warning-the black bar safety net

2016-12-13T00:00:00
ID MYHACK58:62201682047
Type myhack58
Reporter 佚名
Modified 2016-12-13T00:00:00

Description

Recently from Finland Klikki Oy, a researcher Jouko Pynnönen has published a blog, which demonstrates a malicious attacker how to useXSSvulnerability attack under Yahoo mail, the victims Inbox messages sent to an external site; and constructing a virus, this virus can be passed to the email signature to add a malicious script, the Additional in all outgoing e-mail. Due to malicious code in Mail the body of the message, The code will be on the victim to open mail immediately upon execution, without the need for other interaction. All the crux of the matter actually is that Yahoo mail does not correctly filter HTML mail to potential malicious code. The following is this researcher blog article content compiled: Find history Leaving year to Yahoo burrow also fast one week in this point in time I also intend to to a hair. I think basic HTML filter should no longer have the vulnerability, but in a recent write e-mail, I found a lot of add attachments options, these options last year I'd not pay much attention to it. Then I wrote an e-mail, which contains a variety of attachments, and send to an external mailbox, so I can check the mail of the HTML source code. ! Yahoo mail provides a feature, from cloud services to share files. In the mail to share the following, files are not attached in e-mail attachments, but will use HTML code to insert a link, such as Google Docs/Dropbox link. ! In this case, the data- HTML attributes to attract my attention. The first is because last year I exhaustive some Yahoo mail filtered the allowed HTML attributes, but not to be exhaustive of all the properties. Second, since the data-attributes to store the Javascript used in the application-specific data, so this is probably a good attack point of entry. That is, can be in the mail to embed some HTML attribute to bypass the Yahoo mail Filter. In order to further understand the data-attributes, I use the Chrome developer tools into the source code tab, look for the JavaScript file referenced in the data-url attribute. I found the YouTube link will also be Yahoo mail“optimization”, if you are in the message input the Youtube video link, Yahoo mail will automatically help you generate a“link to strengthen the card”, as shown below, the card will contain some data-attributes. ! When the user opens the containing such“card”in the mail, and Yahoo will be through the embedded video, the video next to also has a Share button, these functions is through Yahoo mail JS Code of the data-attributes to achieve. Next, I try to use the data-attributes to construct the mail, vulnerabilities have! If we in the data-url to this value to insert quotation marks, it will lead to the Share button, the HTML cannot be parsed correctly. And as long as the URL points to a site in the Yahoo whitelist, such as pointing to Youtube, Yahoo! will no longer be checked or encoded. the data-url VALUE will be used to set the innerHTML of the div to create the button: I performed the test as follows: From: Subject: hello To: victim@yahoo.com MIME-Version: 1.0 Content-type: text/html "><img src=x onerror=alert(/xss/)><"> When I From Yahoo mail to open the mail when that section for the link to“optimize”the JavaScript code will use the data-url attribute to render the buttons. And hidden in the properties of the HTML fragment will be loaded, I added the HTML code is the one that contains the onerror attribute, the attacker's malicious code will be executed. ! In fact, this problem can be traced back to the Yahoo mailbox of a function: function generateButton(e,t) { var n=this,r; t. insert([',e,'" class="',o,'"> \ \ ']. join("")); r=t. one("."+ o); n. _attachButtonListeners(r); } This function name is t. shareMenu. generateButton(r. cardUrl,s), The first parameter is the message embedded in the data-url attribute. You can see that the bottom of the HTML section is directly to the string stitching up, without doing any modifications. Impact The discovery of this vulnerability with last year'sXSSthe vulnerability is actually the same. In order to prove the vulnerability's existence, I to Yahoo Security Department sent an e-mail, the mail is opened, it will use AJAX to read a user's Inbox in the message content, and sends it to the attacker's server. The author has been to 11 November 12 through HackerOne to Yahoo security submitted vulnerability, 11 on 29, Yahoo provides a 1 million dollar Bounty.