Yahoo corrects email flaw

A flaw in its Web-based email system could have let attackers control victims' Yahoo accounts

Yahoo has fixed a bug in its Web-based email system that would have allowed attackers to seize control of users' email accounts.

The security flaw, discovered by eEye Digital Security's Drew Copley, allowed attackers to by-pass the Web-mail system's Javascript filters. Any message exceeding approximately 100kb in length would not be analysed by the filter, which is meant to strip messages of any potentially malicious Javascript.

In effect, this enabled attackers to take control of a user's account by sending them a specially crafted email.

"A remarkable note about this bug is that no one seems to have found it before," Copley's advisory reads. "As far as anyone knows."

Speaking to ZDNet UK sister site ZDNet Australia by phone from the US, Copley said it would be possible to use the flaw to capture the username and password of a Yahoo account holder.

"You can change the page that they're looking at. You can get all their contact information. You can do anything that a user would do on the page," he said. "The main thing people would do with this is to grab usernames and passwords through a re-login page."

This works by using Javascript to load a window that prompts the user to log in to the service again. However, when the user name and password are entered, they is sent to the attacker, not to Yahoo. It works somewhat like a phishing scam, Copley said.

The usual alarm bells would not ring for the average user, Copley added; Yahoo routinely prompts users with a window asking them to log in again following session time-outs.

The bug would also allow an attacker to seize the user's session cookie, which contains personal user details submitted to Yahoo. Copley has praised Yahoo's response to the issue.

"They were very professional and fixed it very quickly. I was impressed," he said.

The discovery of the bug did not come from hours of pain-staking research, Copley admits. He found it when another researcher, known as "http-equiv", sent him a virus, for research purposes, by email that was over 100kb in size.

"He was showing me a virus that was using one of my bugs in the wild. It had all this code, and one of the parts just started running," he explained. "We found it by accident."

For more coverage on ZDNet Australia, click here.