Yet Another Yahoo! Security Issue

The Yahoo! logo that was introduced in 2013 and features dual-tone purple/violet thin-walled lettering.

Yahoo! has fixed a¬†major security flaw. This one was with their Yahoo! Mail email service that allowed an attacker to embed JavaScript in an email and have it execute. This would allow an attacker to gain access to all of a person’s email and Yahoo! account just by them opening an infected email.

How was it done? Yahoo!, like many other email services, strips HTML and most attributes from emails that are received. However, not all are filtered and normally it would not matter if JavaScript were embedded in an attribute – it needs to be encoded and won’t get executed anyway. However, thanks to the video and image previews that have been added in recent years (the ones that show YouTube or Vimeo video preview icons or previews of images attached to an email), some data-x attributes are used to allow the JavaScript Yahoo! wrote to generate a preview block:

Yahoo! Mail XSS Bug

So a security researcher thought… what would happen if I embedded a script inside the element data parameter? So he tried it:

What happened when he sent himself the infected email to his Yahoo! account?

Yahoo! Mail showing a popup generated from a received email

Uh oh…

But that is just some script embedded in an attribute, why is it getting converted to actual HTML? He began digging through Yahoo!’s JavaScript – the part that generates those video and image previews. He found a piece of code that was simply taking the contents of a couple of the parameters and embedding it within the page as HTML:

Oops…

With that kind of power an attacker could gain access to all of the emails from anyone that opened an infected email, send email as said user, or even do other actions with their account.

The researcher submitted the flaw prior to releasing the details and Yahoo! has fixed the issue.

WordPress Security Release 4.2.4

The WordPress logo. A "W" cut out of a dark gray circle with an outline of the same color. "WordPress" is written below the logo. "Word" is a dulled blue and "Press" is the same gray color as the logo.

WordPress has released version 4.2.4. This security release fixes 3 cross-site-scripting (XSS) vulnerabilities and a possible SQL injection exploit.

In addition the update also fixes a few general bugs in the software:

  • A fix for characters not being saved correctly when a non-standard database¬†collation is used
  • A fix for the core not type-checking directory listings using glob()
  • A fix for shortcodes not working when they are added at the beginning of an HTML element (e.g. <[my-shortcode ...] >)
  • A fix for shortcodes removing line returns inside of CDATA content blocks

WordPress is the open-source blogging and publishing software originally developed by Autoattic who handed off the software and copyrights to the WordPress Foundation, a charitable organization the supports WordPress and related plugins.

https://wordpress.org/news/2015/08/wordpress-4-2-4-security-and-maintenance-release/