“Yahoobleed” flaw leaked private e-mail attachments and credentials

Yahoo promptly retired ImageMagic library after failing to install 2-year-old patch.

 Dan Goodin

 

For years, Yahoo Mail has exposed a wealth of private user data because it failed to update widely used image-processing software that contained critical vulnerabilities. That's according to a security researcher who warned that other popular services are also likely to be leaking sensitive subscriber secrets.

 Chris Evans, the researcher who discovered the vulnerabilities and reported them privately to Yahoo engineers, has dubbed them "Yahoobleed" because the vulnerabilities caused the site to bleed contents stored in server memory. The easy-to-exploit flaws resided in ImageMagick, an image-processing library that's supported by PHP, Ruby, NodeJS, Python, and about a dozen other programming languages. One version of Yahoobleed was the result of Yahoo failing to install a critical patch released in January 2015. A second Yahoobleed vulnerability was the result of a bug that ImageMagick developers fixed only recently after receiving a private report from Evans.
The vulnerability discovered by Evans could be exploited by e-mailing a maliciously manipulated image file to a Yahoo Mail address. After opening the 18-byte file, chunks of Yahoo server memory began leaking to the end user. Evans called this version of the attack "Yahoobleed1." "Yahoobleed2" worked by exploiting the vulnerability fixed in January 2015.

“A real mess”

 

Together, the bugs allowed attackers to obtain browser cookies, authentication tokens, and private image attachments belonging to Yahoo Mail users. Despite Yahoo allowing one of the bugs to remain unpatched for 28 months, Evans praised company engineers for their speed and thoroughness in responding to his private report. Rather than patch ImageMagick, Evans said, Yahoo opted to stop using the library, a move he applauded. Over the past 18 months, the app has come under increased criticism for harboring critical vulnerabilities, which in the past have threatened Facebook users, among others. Evans warned that other widely used Web services are likely still vulnerable.
Evans told Ars:
ImageMagick usage is a real mess. I'm sure there are lots of sites out there which are still vulnerable to this. To give a couple of data points, I found big Silicon Valley companies such as Box and Yahoo! were using two-year old versions of ImageMagick. So it seems unlikely that everyone has updated for this very recent issue.
Evans said a competing image-processing library called GraphicsMagick patched the same underlying bug in March 2016. This fix raises questions why ImageMagick developers didn't independently diagnose and fix the problem in their own software. He said that developers who want to test if their sites are vulnerable to the vulnerability he discovered can download the 18-byte exploit included in a blog post detailing the vulnerability. He provided details for Yahoobleed2 here.

Comments