Cenzic 232 Patent
Paid Advertising
web application security lab

Yahoo Mail Gives Users Trojan Horses

I got this picture from a reader of the site. Apparently the reader was simply viewing Yahoo mail and poof, RogueIframe trojan. We are starting to see a lot more of this kind of stuff, but it’s really disappointing that third party ads are being displayed on otherwise sensitive apps (or at least I think most people feel they are sensitive). Here’s the picture:


Click to enlarge

We’ve seen this exact hack hit before, against Facebook. But I think this kind of thing may be the beginning of a epidemic. As long as you can end up with your advertisements on any site that is even vaguely sensitive, you can start either taking over the site, or delivering malware. Whatever best suits the attacker’s needs. I think this all goes back Tom Stripling’s speech at OWASP where he in painstaking detail explained why you cannot trust third party JavaScript on your site, and yes, that definitely includes advertisements. Anyway, I hope this gets cleaned up quickly.

15 Responses to “Yahoo Mail Gives Users Trojan Horses”

  1. RSnake Says:

    From the person who sent me the photo:

    [10:16] person: you know this yahoo virus finally convinced me js is a bad bad thing
    [10:17] person: i thought you were promoting purism and overkill but you are 100% right about the threat
    [10:18] person: its not yahoo that’s malicious here but it doesnt matter because their advertisers sell adspace to others and so on and so on… and as long as that happens no one is safe.

  2. thrill Says:

    [10:19] person is sending you a file…
    [10:19] person: there’s something weird happening to my compu
    [10:19] person has disconnected

    But you know RSnake, we’re safe, we have a firewall so we don’t have to worry about this kind of stuff…

    –thrill

  3. loooooongcat Says:

    Why would an IFrame be rouge (red)? Seems pretty stupid if your malicious content can be spotted so easily.

  4. Dan Weber Says:

    you cannot trust third party JavaScript on your site,

    FYI, you have JavaScript sourced at digg.com on this very page.

  5. thrill Says:

    @Dan - Good point, but this is a public website, not your inbox at a hosted solution. Slight difference there.

  6. RSnake Says:

    @looooooongcat - whoops, typo

    @Dan - funny, I had forgotten I even have it on the site. I don’t even see it anymore, I have long since banned the use of JavaScript completely from my machine except in some very specific tests. I’m happy to remove it though, I don’t think it does much for us. But you’re absolutely right - it too is just as dangerous as any advertising company’s code if it were to somehow able to come under control of an attacker. I think it’s a tad less likely in their case because it’s not 3rd party defined like an advertiser who resells is but you’re still right.

  7. RSnake Says:

    @Dan - I removed it. Thanks for bringing it to our attention!

  8. Jon A. Longoria Says:

    @RSnake

    I am pretty surprised (or am I?) at the open door Yahoo left open for a mail service that is inherently supposed to be a private function.

    I can’t say I haven’t encountered this before, such as CNN.com’s continued inability to keep such malicious content out of it’s adspace, however, never in a such a personal arena of communication.

    Partially related, where do you see this incursion trend going in mobile web applications/services and their increasing accessibility via mobile wireless devices (iPhone, Ipaq, Blackberry, PSP, etc.) outside the phishing filters, spam blockers and firewalls? I see a unstoppable temptation for commercial exploitation by software makers such as Symantec to fear-market on this premise.

  9. RSnake Says:

    @Jon - they have to make their money somehow, I guess. I agree, pretty funky though. I’m not comfortable with any of the monetization efforts I’ve seen in webmail thus far. But then again, I’m not going to convince many people that they should avoid webmail for anything sensitive. I know lots of people who proudly tell me they use gmail for corporate communications. It’s hard to explain to people why that’s a terrible idea, until it’s too late.

    We had a talk about the mobile problem while I was at SourceBoston and I think the ubiquity of mobile platforms is growing pretty significantly (approaching 100% penetration) but the fairly diverse platforms themselves and fairly high turnover rates make it more difficult to write anything with longevity. But there are definitely going to be a lot of people writing software to protect against it. Part of the problem is there is no obvious/easy way to do firmware updates on most platforms, software, sure, but not firmware. Given my talks with the Flexilis guys, and how many different mobile platforms they’ve found issues with, I’m not convinced we are going to see this problem taper off anytime in the near future. It may not get bad any time in the near future, but it will probably get worse before it gets better.

    Btw, a second user just said they were also infected by this exact same trojan horse. The user is trying to clean up their system now. Great. That makes 2.

  10. Awesome AnDrEw Says:

    So not only are third-party advertisements annoying, but they are also ambiguous. Granted this is a concept I have understood and come across on several occasions, but I would not expect such issues to appear under potentially confidential areas of services provided by an online company with such notoriety, and caliber. Cross-site scripting? Okay.
    Cross-site request forgeries? Alright, but when it comes to third-party and off-site content being displayed and causing a problem there’s really something to consider. Are there security implications with each issue? Of course, but web application programmers, website developers, and other security-minded individuals need to learn that any work of another author outside of the given company or group cannot be trusted under any circumstance.
    As I’ve had to explain to a hand-full of individuals by embedding IFRAME elements into your source it is possible, but generally unlikely, that even if the window points to a reputable URL it is still possible that users can be compromised in the event that the off-site material is altered. Paranoia? Perhaps, but it’s best to take into account any and all issues no matter how prevalent or nonexistent they may be. It’s all about risk management: weighing in on one’s assets, possible threats, and the likelihood in which such attacks are realized.

  11. Wladimir Palant Says:

    I don’t think Yahoo was embedding third-party JavaScript into web mail (wouldn’t surprise me much however given Yahoo’s security track record), it is rather a third-party iframe. Still very questionable but far less critical.

    I tried to open the URL from the screenshot. Funny enough, it does exactly what it says in the URL - track users with lots of 1×1 images. No advertising is displayed so all content is coming from the advertiser directly. Given that, I wonder whether there really was a trojan horse. I suspect either a false alarm or this message is generally shown when the software detects a third-party frame where there should be none (Yahoo Mail being one of those places).

  12. Log0 Says:

    The common user might be very scared and really clicked on it. If its just pure ads, they might leave it since they are not interested.

    “Ummm, trojans? What’s that, I only know it’s virus! Some New Yahoo! technology to protect me?”

    Oops. Who knows what it leads to? I don’t think having such ( even normal ad ) is a very good experience while using email — while serving privately. This really hurts the image of Yahoo!.

  13. RSnake Says:

    Here’s a snippet from an email in response to what happened from Yahoo:

    Yahoo! responded rapidly to a malware notification yesterday and determined that it was actually a false alarm from anti-virus vendor Avast. Avast worked quickly to address the situation and resolve the problem. Yahoo! Mail users can be assured that this was a false alarm and they do not need to take any action.

    Thanks,
    Karen

    Karen Mahon
    Yahoo! Corporate Communications, Yahoo! Mail

    So perhaps it wasn’t actually a trojan, just Avast claiming it was - which may mean the other infection the other user found (also using Avast) was simply coincidental. Unfortunately since I never had access to the original source and sites can and do change there is no way for me to know one way or another if it was real or a false alarm. I didn’t see anything on Avast’s website that would denote people should ignore any warnings, but perhaps it’ll be put out in a future definition file. I might add that if it really is a false positive it shows how immature the automatic web-based detection space really is. Further, this would appear to go against their vb100 track record of no false positives.

  14. Awesome AnDrEw Says:

    Anti-virus software is only so useful at its current stage especially with web-based detection schemes. From what I have personally observed, which could be incorrect, generally applications such as Norton will pick up a hex-encoded string in the Javascript space, parse it or convert it to its ASCII/decimal equivalents, and then alert the user with a trojan warning if even a simple IFRAME element is detected pointing to an IP address. I’ve noticed that it is quite limited to the number of times the statements in the scripts are obfuscated as well.
    A perfect example of this would be the ADODB vulnerability from 2004, which could be used in order to save remote files onto a computer, and then have them execute using a URI protocol handler such as “aim://”, “mms://”, “irc://”, or any other software that may have been previously installed on the victims’ machine. If the Javascript’s statements are kept in plain-text then most anti-virus programs throw a fit. Most still catch it when it’s encoded only a single time, but any more than that and it goes unnoticed. Again these are my own observations so there can be some discrepancy, but Billy Rios URI abuse, and the RES protocol enumeration methods renewed my interest in experimenting with the old ADODB issue not too long ago.

  15. jwbrkrjp1 Says:

    What amazes me, is the point ANYONE would feel a need to SO AGGRESIVELY place advertisement into a webpage with sole design set up in such a way it could create a NEGATIVE reaction from the viewer/user - meaning at the point you interrupt a persons action or intentions - you have gotten the attention, yes, BUT when you