Paid Advertising
web application security lab
« Hackersafe Site Hacked Safely
Google Dorks Strike Again »

Yahoo Decides to Open Source Yahoo Mail

One of our lurkers sent me a link to a story on ABCNews about how Yahoo has decided to make it’s webmail client open source. I guess they are trying to ride the band-wagon of open sourced application development. This probably has lots of ramifications for the web application security world. Here’s a quote from our lurker:

… the first thought that popped into my head was that I needed to find a quote like this in the article …

“Since Yahoo keeps absolute control of usernames and passwords there are no security risks, Dickerson said.”

… and sure enough it was right there in the middle of the article. ;)

That sounds like Oracle’s “unbreakable” campaign. Sounds like trouble to me. I’m really a huge fan of Yahoo, but this feels like trouble. First of all, they have had a number of successful attacks against that platform, and reacted and changed to evade that. If their filters become open source expect a wave of successful attacks against them. If you’ve got a Yahoo account, you’re probably better off not reading it until the community calms down. Beyond that, since people tend to use the same information everywhere, if there are any secrets (hashes in cookies or otherwise) based on those things that help break into the system, they will now be extra easy to compromise. Perhaps their plan is to only open source a small API, rather than the whole application (I hope so anyway)!

The goal of this is, according to the article, is to open source the application so that more developers will put work into the platform - something for nothing. It’s a smart idea in theory, but it really feels like a dangerous zero day lab to me. I, for one, will be curious to take a look at their filtering. I’ve got a good idea of how it works from a black box perspective but without seeing the code it’s difficult to picture how it was actually developed. Let’s hope they have some extra security folks hired up for when the zero day starts rolling in.

This entry was posted on Wednesday, October 4th, 2006 at 8:54 am and is filed under Webappsec. You can leave a response as well.

4 Responses to “Yahoo Decides to Open Source Yahoo Mail”

  1. Chris Shiflett Says:
    October 4th, 2006 at 9:59 am

    They’re not open sourcing Yahoo Mail. What they’re doing is providing an API for authenticating against their user database:

    http://developer.yahoo.com/auth/

    Still interesting, but totally misrepresented in the media.

  2. RSnake Says:
    October 4th, 2006 at 11:15 am

    Weird, that’s not at all what the article says:

    Yahoo Mail’s code will be generally available later in 2006 said Jason Rupp, product manager for Yahoo’s e-mail services.

  3. kw Says:
    October 4th, 2006 at 3:48 pm

    even if its just an API, it’ll still make phishing and XSS attacks against yahooligans much easier … its not like yahoo users will ever understand Yahoo’s BBauth/SSO system. Yahoo is basically going to be encouraging their users to login to their yahoo.com account from other domains.

  4. RSnake Says:
    October 4th, 2006 at 9:01 pm

    That’ll make XSSing accounts muuuch easier, you’re exactly right. Yahoo is fairly good at protecting themselves from these forms of attacks today, but every new developer will learn the hard way - which means only trouble for the users of those accounts.

Respond here or Discuss On the Forums