-
Get a monthly update on best practices for delivering successful software.
Security – Yamanner Worm Hits Yahoo Mail (Not!)
Update 3: Eric Pascarello has a brief blog entry describing the mechanisms by which the worm works. If you'd like to look at a defanged version of the code, it is here.
Update 2: I'll save you reading all the way to the bottom. This blog entry
over at the Washington Post seems to take the view that users of Yahoo
Mail Beta (the AJAX version) are in fact not vulnerable to the critter. The fix is apparently to migrate to Beta. Like I said, these reporters often scramble the facts.
---
Looks like we have our first AJAX-related security hole. From the InformationWeek article:
Yahoo Mail relied on a JavaScript function in connection with uploading
images from a message to their mail server. Yahoo Mail made limited use
of Ajax to spur interactions between the mail user and Yahoo's servers.
The Yamanner worm exploited one of the few JavaScript functions that
Yahoo Mail didn't already screen out, the ability to execute JavaScript
in connection with directions to upload an image from a user's mail
message. The worm substituted its own JavaScript commands where the
image-handling code was meant to go.[...]
Yahoo Mail is displayed in the user's browser Window, and browsers are
designed to execute any JavaScript they find in an HTML page or
message. As Yamanner recipients opened their messages, there was no
outward sign for the user that anything was amiss. The Yamanner worm
didn't need an image to be included with a message to do its work. The
JavaScript executes in background, the browser performs no checks on
whether it is performing the expected function or not, and the worm
shows no telltale of its activity on the user's screen, except a
possible slowdown in other activities.In addition to ordering the user's computer to query the Yahoo
mail server for the user's address book, generate a message and send
them out to each name in the address book, Yamanner also captured the
addresses and uploaded them to a still unidentified Web site. By doing
so, it was building an email list with many thousands of names that
could be sold to spammers, note Web security experts.
The reported flip-flops between "worm" and "virus" in the article. I know from personal experience that reporters can get these things a little mixed up, so I'll try not to take the breathless tone of the news article.
What exactly did this "worm" do? Not a whole lot of information out there yet. Was it simply that they uploaded a Javascript file instead of an image? Then the only way this was an AJAX vulnerability is that AJAX apps cut functionality into nice little chunks ("send message", "delete message", "view message", etc.) that can be accessed by the browser without the user knowing about it. So, nothing really new here, other than an example of cross site scripting. Stay tuned.
Update 1: Symantec has a security response here.
JS.Yamanner@m arrives on the compromised computer as a Yahoo! HTML
email containing JavaScript. If the email is opened within Yahoo! Mail,
it performs the following actions:
- Exploits a vulnerability in the Yahoo! Mail service and executes a script.
- Scans emails in the personal folders of the Yahoo! Mail
account. The worm gathers email addresses that contain @yahoo.com and
@yahoogroups.com domains.Note: The personal folders are email folders in the currently
logged in Yahoo! Mail account. These include folders such as the Inbox,
Sent, and any custom-named folders in the account.- Sends a copy of itself to the email addresses gathered. The email may have the following characteristics:
From: Varies
Subject: New Graphic Site
Message Body: Note: forwarded message attached.
- Redirects the Web browser from Yahoo! Mail to the following Web site:
[http://]www.av3.net/index.htm
- Sends the list of gathered email addresses to the above URL.
Related posts:
- Yahoo Mail, Ajax and Your Server
- Another Worm, This Time on Myspace
- Web app security checklist (Braindump)
- Yahoo UI components
- GWT Security Talk
Topics: Security
Comments: 1 so far
Leave a comment
Launch: Pathfinder Newsletter
Subscribe via RSS
Categories
Topics
.NET
.NET Browser Control
.Net Development
2d cad
2d physics
3d
3D GPS
3d mapping
3D physics
37signals
Acceptance Tests
Accessibility
ActionMailer
actionscript
activerecord
acts_as_ferret
Add new tag
Adium
ADO.NET Entity Framework
Adobe
adobe acrobat
Adobe AIR
adobe flex
Adobe Illustrator
Advertising
aggregation
agile
Agile Development
agile iteration
agile thinking
AIR
Ajax
Ajax Applications
Ajax Bookmarking
Ajax Components
Ajax Development
Ajax Examples
Ajax Experience
Ajax Frameworks
Ajax history management
Ajax Intervention
Ajax libraries
Ajax library
AJAX Obfuscation
Ajax Performance
Ajax Products
Ajax toolkit
Ajax Tools
Ajax Widgets
A list apart
Amazon
Amazon CDN
Amazon Web Services
amf
Analysis
Android
animation
annotation
Announcement
Announcements
antennae
Antipatterns
Apache
Apollo
App Engine SDK
apple
apple tablet
Application Architecture
Application Development
ap store
architecture
art
AS3
ask a UI guy
ASP.NET
ASP.NET
assembla
asterisk
Asynchronous Processing
authorization
awards
axiis
Azure
Back Button
backups
bandwidth
bandwidth profiling
Barnes & Noble
Barriers to Entry
Beans
beer
Benchmarking
Best Practices
BitmapData.draw
BJAX
blackberry
Blaze Advisor
blender
blog
blogging
blog widgets
book review
Books
Borders
braindump
browser
Browsers
Bugs
Business
Business Concepts
Business Reasons for Ajax
Business Rules Engines
C#
c# documentation ndoc sandcastle
caching
campfire
Canvas
capistrano
career
Case Studies
CFO
change management
Charles
charting
checklist
chess
Chesspresso
Chicago
chicagoruby
chirb windycityrails
Chrome
Chrome OS
CI
CIO
Claude Shannon
Closure Tools
Cloud Computing
CloudFront
CMS
COBOL
Cocoa
code
code art
Code Generation
code generator
Code Style
Color
COMET
Competitive Strategy
Compilers
Compressor
Computer Science
Conference
Confluence
Consistency
Content Management
continuous integration
converget appliances
core animation
CRM
cruise
CruiseControl
CSS
cucumber
Custom Application Development
Custom Flex Component
dashboard
Data Mapper
data services integration
data visualization
date
datetime
Davlik
Degrafa
deployment
deprec
Design
design documentation
Design Patterns
design thinking
Desktop
desktop application development
Desktop RIA
Desktop Software
developer
Developer's Notebook
development
DHTML
Diagnose
Divide and Conquer
documentation
Dojo
Domain Knowledge
don norman
Drawing
Drools
drupal
dynamic languages
ease of use
EC2
Echo2
Echo3
Editorial
elections
enterprise iphone development
Entrepreneur
erb
ERP
error handling
Estimating
estimation
Ethnographic Research
events
everyblock
Evolution
Excel
externalinterface
Ext JS
Extreme Programming
eye tracking
Facebook
factory
failure
Fake Agile
Feedback Loop
ferret
FileReference
Firebug
Firefox
Firefox Extensions
fixed bid
fixture replacement
fixturereplacement
fixtures
Flare
Flash
Flash and Air
flash awards
Flash Catalyst
flash player
flash player 10
Flash Player optimization
Flash Remoting
Flex
Flex, Flash and Air
Flex3
flex 3
flex code generator
flex css
flex development
flexmock
Flex optimization
flex skins
flexunit
flex widgets
Flickr
Flock
Flow
Fluent
forms
Frameworks
FriendFeed
front end
front end development
fulltext search
functional
functional specs
Games
Gang of Four
Gauge Component
GDI+
gem
getting things done
ghost
GigaOm
GIS applications
Git
github
gitignore
Golf
Google
Google Analytics
Google Analytics for Flash
Google Analytics for Flex
google android
Google App Engine
Google calendar
Google Closure Tools
google docs
Google Gadgets
Google Gears
google maps
Google Web Toolkit
Google X Prize
GORM
government
g phone
Grails
Graphics
graphing
Greasemonkey
Griffon
Griffon Plugin Development
Groovy
GStreamer
GTD
Gwittir
GWT
GWT 2.0
GWT Layouts
GWT Rich Internet Apps
h.264
haml
hardware
Healthcare
heuristic evaluation
Hibernate
high-performance teams
hosting
HTML
Hudson
Hype
IBM
IDE
Ideation
IE
IE6
IE7
IE8
IE detection
iGoogle
Illustrator
illustrator cs3
ILog
ILOG JRules
imacros
importing graphics to flex
Information Architecture
information visualization
infrastructure
Innovation
Instructional Design
Interaction Design
interaction patterns design
Internship
Interview
iPad
ipad development
iPhone
iPhone Development
iphone framework
iPhone SDK
iPod
ipod touch
irb
iteration
IT M
IT Mill Toolkit
iTunes
jakob nielson
Java
javafx
Javascript
JavaScript frameworks
Javascript Libraries
Java Web Start
JBoss Rules
Jess
Jetty
JIT
jmeter
jnlp
job
Jobs
jQuery
JSF
JSON
JSP
JSR-94
JsUnit
JVM
JWS
Kanban
keynote
Kindle
kiosk
laptop
Lazlo
Lean
Legacy Systems
leopard
lightweight
LinkedIn
LINQ
LINUX
log4j
logging
Logical Model and Conceptual Model
Low Pro
Mac
Maintainability
Malware
Manufacturing
mapping
marketing
Marketplace
Mash Note
Mashups
math
measurement
Meebo
metal
metaprogramming
MetaWidget
Methodology
Microformats
microsite
Microsoft
midVentures25
migrations
minimalism
Mobile
mobile platform
Mocha
Mock
mocking
mock objects
modeling
mod_rails
monitoring
Mootools
mortgage calculation
mouse
mouse scroll
mouse wheel
Mozilla
Music
MVC
MySql
natural key
neal ford
Netbook
NetNewsWire
networking
NewNet
news
newspapers
new york times
nfjs
NHibernate
nokia
notebook
NSURLProtocol
obj-c
Object-Oriented
Objective-C
Object Relation Mapping (ORM)
ocmock
Office
Om Malik
OmniGraffle
online spreadsheets
OOAD
OOP
opengl
Open Screen
OpenSocial
Open Source
opensource
Opera
Oracle
OReilly
origami
ORM
os
osx
OS X
Packer
pagination
pairing
Pair Programming
palm
papervision3d
Pathfinder Development
Pathfinder Events
Pathfinder General
Patterns
pdf
pdf application development
Peer Creation
Performance
Personas
PGN
Photoshop
PHP
Phusion Passenger
physics
physics engines
planning
play at work
plugin
plugins
portableapps
pragmatic
prawn
Predictions
preloader
presentation
primary key
privacy
process Web/Tech
Product Definition
Product Design
production environments
Production Support
productive programer
productivity
product launch
product management
product manager
Product Strategy
Progressive Enhancement
project concept
Project Manage
project management
Project Website
Prototype
Prototyping
PureMVC
Pure MVC
purpose
purpose built devices
PV3D
pyro
QA
qooxdoo
Radiant CMS
rails
railscasts
rails controllers
rails development
Rails Environment Tests
rails gem
rails polymorphic
railsrx
rails testing
randori
Really Simple History
Refactor
refactoring
References
regex
regular expressions
reporting
Requirements
Requirements
Alice Toth
requirements definition
Requirements Visualization
resesign
Restlet
RETE
Review
rfp
ria
Rich Interactions
rich internet applicaiton
rich internet applications
risk management
Robert Fogel
ROI
rspec
ruby
rubyamf
Ruby on Rails
Ruby on Rails Internship
Ruby on Rails testing role
ruport
S3
SaaS
Safari
San Francisco
Scalability
Scenarios
Scriptaculous
Scrum
SDLC
Search
Secretariat
Security
Selenium
SeleniumIDE
Semantic web
SEO
Server Side
service oriented architecture
shoulda
Silverlight
simplicity
Sketch
skins
SOA
soapUI
Social Networking
Software
software arhcitecture
software design
software develoment
Software Development Best Practices
Software Engineering
Software Maintenance
Software Processes
software product strategy
Songbird
SpiderMonkey
Sprajax
Spreadsheets
Spring Framework
StageScaleMode
Standards
standish
starting projects
Startups
static typing
Stencils
Steve Jobs
STI
storytelling
Story Telling
strategy
Stress
Structured Design
Struts
Subclassing
sun
surrogate key
Susan Boyle
Swing
tablet
tabs
tag
taglib
Tamarin
Tank Engine
Task Flows
Task Switching
tdd
teams
teamwork
Technical Debt
telephony
Tellurium
Test
test::unit
Test Driven Development
Testing
tether
textmate
The Ajax Experience
throttling
Tilt Component
time
timezone
Tools
touch
touch screen
touch screen kiosk
TraceMonkey
Training
Trends
Tumblr
Tutorial
Tutorials
Twitter
ubuntu
UI
UIViewController
uml
unit testing
Unit Tests
unity3d
Upgrade
Usability
Usability Testing
user centric design
user driven agile
user experience design
User Experience Design
user groups
user interface
User Interface Standards
User Modeling
User Research
uxd
Vaadin
value
velocity
Venture Capital
Video
viral marketing
Vision
visual analytics
visual design
visual documentation
Visualization
VLC
VML
vmware
Volta
Waaler Surfaces
wapcaplet
waterfall
watij
watir
web
Web/Tech
Web 2.0
web app
Web Applications
Web Design
Web Development
web forms
web hosting
Web Infrastructure
Webkit
Weblogs
Web Services
WebSockets
Web Standards
WebTest
Widgets
will_paginate
Window Forms Development
Windows
windows development
windows mobile
WinForms
Wireframes
WordPress
workflow
work life balance
xcode
XML
XML Metadata
xp
XUL
Yahoo Map AS3 API
YUI
Zeigarnik
Zeigarnik Effect
ZendAMF
ZK
Archives
- March 2010
- February 2010
- January 2010
- December 2009
- November 2009
- October 2009
- September 2009
- August 2009
- July 2009
- June 2009
- May 2009
- April 2009
- March 2009
- February 2009
- January 2009
- December 2008
- November 2008
- October 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- February 2007
- January 2007
- December 2006
- November 2006
- October 2006
- September 2006
- August 2006
- July 2006
- June 2006
- May 2006
- April 2006
- March 2006
Blogroll
Recent
- Teamicide
- Who values your product and do you value them?
- Optimizing has_role? in acl9
- Pathfinder’s Mike Laurence wins Hack-a-thon for iPhone app
- Pathfinder sponsors the midVentures25
- Pathfinder sponsoring Day of Mobile in Chicago
- Refactoring versus Rewriting
- Storytelling in Design
- Remembered: Claude Shannon
- mort_calc gem: Rails Mortgage Calculation Gem
This is not the first, though maybe the beginning of a growing trend, of Javascript worms.
The “samy is my friend” myspace “worm” from last year also used XHR to spread. From a technical perspective, it might be fancier than the Yahoo! one given it called Myspace’s services to also post messages etc.
Comment by Scott Schiller, Wednesday, June 14, 2006 @ 11:04 am