How one man could have set loose a Yahoo Mail virus

We’re all used to JavaScript in web pages.

JavaScript is the programming language that makes web applications possible, letting programmers build web pages with all the menus, buttons, bells and whistles of regular software.

There are two main things that help to keep JavaScript safe in your browser:

  • JavaScript can’t reach outside the browser and change files on your hard disk. The browser locks each web page in a sort of digital sandbox that keeps it under control.
  • JavaScript from website X can only access content inside your browser that came from X. This is called the same-origin policy, and it stops scripts on a crook’s web page from reading personal data such as login cookies or page content from your bank’s web page.

Very greatly simplified, but hopefully not oversimplified: if I serve malicious JavaScript from my site, the most I should be able to do from your browser is to hack my own site.

As you can imagine, the same-origin policy doesn’t translate very well to email, because JavaScript in emails doesn’t have a clear web origin to be tied back to.

Indeed, in a webmail system, any JavaScript in the body of an email would be served up by the webmail server and would therefore “speak officially” on behalf of the webmail system itself.

As a result, all major email clients and webmail systems have, for many years, banned JavaScript inside emails.

Unfortunately, banning JavaScript means stripping it out, and stripping it out means finding it in the first place, no matter how cunningly it’s hidden.

This stripping process is known an input sanitising, for obvious reasons.

Missing a trick

Sometimes, webmail software misses ways that a crook can rig up an email to generate and run JavaScript, and then you have an exploitable vulnerability.

Almost a year ago, security researcher Jouko Pynnönen of Finnish company Klikki Oy figured out a way to do just that in Yahoo mail.

He found what is known as a cross-site scripting vulnerability (XSS), whereby he could hide JavaScript in an email in such a way that merely reading the email would run the JavaScript inside Yahoo’s webmail interface.

Of course, that meant that Yahoo was treating the external, untrusted JavaScript as though it were its own.

(In cases like this, the name cross-site is a slight misnomer, because the original script doesn’t come from another website, but the term XSS fits well enough and is used nevertheless.)

Amusingly, if security holes are ever funny, Pynnönen was able to embed JavaScript in an email so that it would reconfigure your Yahoo signature to be a copy of that same JavaScript, and would therefore appear in every email you sent out…

…whereupon it would infect the recipient’s signature settings, and so on: a true self-spreading virus.

Pynnönen told Yahoo on the second day of Christmas (26 December 2015); Yahoo fixed it by Twelfth Night (06 January 2016) before anyone else could find it and abuse it; the world was safe; and Pynnönen was awarded $10,000 for his troubles.

One year on

Fast forward one year, and Pynnönen figured he might as well try again.

Unfortunately (or fortunately, given that he once again told Yahoo privately so that the problem could quickly be fixed), he found a different way to do much the same thing.

This time, he played around with Yahoo’s email feature called Share files from cloud providers.

He found that when he fed this Yahoo link-sharing option with a URL, it built the URL into a fragment of HTML that was then included in the email that was sent.

He couldn’t control the HTML that was wrapped around his URL, but he noticed that if he used a YouTube URL, Yahoo seemed to accept it blindly, apparently without sanitising it.

As a result, he could construct a URL that had a fragment of JavaScript in it, such that the JavaScript would survive and end up knitted into the HTML of the email that was generated.

This means that recipients would see an HTML email containing untrusted JavaScript that Yahoo’s own site had served up.

Bingo: cross-site scripting, or XSS.

(As we explained above, XSS is where an untrusted script from source Y is treated as though it came from site X and is therefore imbued with the right to interact fully with site X.)

In other words, Pynnönen could have pulled off an email signature virus attack all over again.

What to do?

You don’t need to do anything, because the bug was in Yahoo’s code and was therefore Yahoo’s to fix.

Just like last year, Pynnönen told Yahoo privately and Yahoo, to its credit, has already fixed it.

And, just like last year, he received $10,000 – not a bad Christmas present!