Proof of concept - iframes and Yahoo groups
I’ve made a proof of concept page for Yahoo groups.
The hope is that Yahoo groups will see it, and realize how badly insecure the homepages for the groups are:
http://groups.yahoo.com/group/proofofconcept/
And no, it’s not dangerous. I’m not a bad guy. But had I been a bad guy, I could have basically done anything with that vulnerability. And because it’s a trusted site, people wouldn’t have thought they could be infected.
I added a pop-up, and a redirect (thanks for the suggestion, Joe).
What I found while setting up the group, was that if I only included the iframe in the description field, they substituted my tags for lookalike characters. But if I had other tags first, the tags were delivered as I wrote them.
Update:
Proof of concept that iframes work in message as well:
Joe’s proof of concept message (Joe got it to work too, and this one’s ready for scrutiny).
I had to remove the redirect here, because it crashed Thunderbird when I tried to send the message. But with a spam mailer, or software with other features, that wouldn’t be a problem. Incidentally, the iframe worked in Thunderbird as well, which I totally didn’t like! Update: Joe’s version of Thunderbird was different, and he had to work a bit more to get the iframe to work. His post about the issue here.
For contrast, eBay talks openly about iframes not being allowed. Looks like they have some kind of automated way of blocking it. As Joe pointed out, it’s a thorny story, because Google Adsense actually uses iframes to work. The point isn’t that iframes should not exist. The point is that trusted services should not allow strangers who open an account to use unsafe code. Iframes basically import foreign content into their sites. In other words, if you go into unsafe neighborhoods with an unsafe browser, it’s your neck. But if you go to a trusted service and get a trojan, it’s an embarassment for said service, and a shock for the infectee.
Update December 30, 2005:
I got two new responses from Yahoo. One for the specific use of ads via iframe on a specific Yahoo group (which is still up), and one for reporting the iframe vulnerability. I got the same stock response for both reports:
While we investigate all reported violations against the Yahoo! Terms of
Service (TOS), Yahoo! has no control over activities outside its
service, and therefore if messages are being sent directly to your
address outside of the Yahoo! Groups service, we cannot take action.You may try contacting the sender’s email provider, by identifying the
sender’s domain and contacting the administrator of that domain.
This demonstrates a total inability to even understand the problem, on the part of the responding abuse person. And if I get this type of response, it’s very unlikely it will be sent up the pipe to someone who can do anything about it. Which means we need to make a public stink to get the attention of someone higher up.
What other services allow or disallow:
* Livejournal, xanga and myspace from July 2005
* Browsers - it’s possible to block iframes in your browser. If anyone knows how, please let me know.
* Ebay doesn’t allow iframes
December 28th, 2005 at 8:48 am
[…] d comments Beware 80.237.140.233 » Yahoo group spam Update: Proof of concept Remember a little while ago, that a spammer said […]
December 28th, 2005 at 8:48 am
[…] sin Mediawiki anti-spam suggestion » Block iframes Update: Proof of concept Since discovering the iframe on Yahoo Groups, I […]
December 28th, 2005 at 11:28 am
> I’m not a bad guy. But had I been a bad guy…
Are you sure? I thought you are not a “guy” at all
Nice exploit by the way. Looks YahooGroup is open to similar exploits as myspaces.
December 28th, 2005 at 11:58 am
I’m not bad, and I’m not a guy. Satisfied? Just because I’m neither, doesn’t make my statement any less true.
December 28th, 2005 at 1:21 pm
> Satisfied?
Wonders…
[How in the hell can I convey, in a written language, to Ann Elisabeth that I was just pulling her leg metaphorically.]
December 28th, 2005 at 2:16 pm
And here I thought English was your second language, and maybe you weren’t as used to colloquialisms?
I use a lot of those, and since English is my third language, hopefully I don’t mix them up too much.
December 28th, 2005 at 3:03 pm
It is very surprising how few people actually knew about this and other VOIDs that still exists - (that would be best NOT to reveal in public…
hmmm…Or maybe they knew - but no-one felt compelled to do something until a highly publicized embarrassment occurs.
What was their reaction when you informed them???
Would it be okay to post a link to this Topic on their Blog site?
/// I use a lot of those, and since English is my third language, hopefully I don’t mix them up too much.
BTW:
Your English is excellent!
December 28th, 2005 at 3:40 pm
SEW:
No response so far (checking gmail to make sure), and the spammer whose Yahoo group I first noticed, still has his groups. I got a response just a few hours ago that they’d taken action and couldn’t tell me what. Form letter, in other words.
Please post this as widely as you like (of course not to the point of spamming). I wouldn’t mind a small /dotting for this one…
December 29th, 2005 at 12:34 am
> And here I thought English was your second language, and maybe you weren’t as used to colloquialisms?
I am familiar to a large extent especially with the American colloquialisms. In this case the excessive use of the word sounded funny, that’s it.
Have you tried submitting it to Slashdot?
I guess people don’t notice unless you do something outrageous like “Sammy is my friend”
December 31st, 2005 at 1:07 pm
You might see if Jeremy Zawodny can get Yahoo Groups’ attention. He’s an avid blogger who works for Yahoo.
http://jeremy.zawodny.com/