Yahoo promptly retired ImageMagic library after failing to install 2-year-old patch.
Dan Goodin
For years, Yahoo Mail has exposed a wealth of private user data
because it failed to update widely used image-processing software that
contained critical vulnerabilities. That's according to a security
researcher who warned that other popular services are also likely to be
leaking sensitive subscriber secrets.
Chris Evans, the researcher who discovered the vulnerabilities and
reported them privately to Yahoo engineers, has dubbed them "Yahoobleed"
because the vulnerabilities caused the site to bleed contents stored in
server memory. The easy-to-exploit flaws resided in
ImageMagick,
an image-processing library that's supported by PHP, Ruby, NodeJS,
Python, and about a dozen other programming languages. One version of
Yahoobleed was the result of Yahoo failing to install a
critical patch released in January 2015. A second Yahoobleed vulnerability was the result of a bug that ImageMagick developers
fixed only recently after receiving a private report from Evans.
The vulnerability discovered by Evans could be exploited by e-mailing
a maliciously manipulated image file to a Yahoo Mail address. After
opening the 18-byte file, chunks of Yahoo server memory began leaking to
the end user. Evans called this version of the attack "Yahoobleed1."
"Yahoobleed2" worked by exploiting the vulnerability fixed in January
2015.
“A real mess”
Together,
the bugs allowed attackers to obtain browser cookies, authentication
tokens, and private image attachments belonging to Yahoo Mail users.
Despite Yahoo allowing one of the bugs to remain unpatched for 28
months, Evans praised company engineers for their speed and thoroughness
in responding to his private report.
Rather than patch ImageMagick, Evans said, Yahoo opted to stop using
the library, a move he applauded. Over the past 18 months, the app has
come under increased criticism for harboring critical vulnerabilities, which in the past have
threatened Facebook users, among others. Evans warned that other widely used Web services are likely still vulnerable.
Evans told Ars:
ImageMagick usage is a real mess. I'm sure there are lots
of sites out there which are still vulnerable to this. To give a couple
of data points, I found big Silicon Valley companies such as Box and
Yahoo! were using two-year old versions of ImageMagick. So it seems
unlikely that everyone has updated for this very recent issue.
Evans said a competing image-processing library called GraphicsMagick
patched the same underlying bug in March 2016. This fix raises
questions why ImageMagick developers didn't independently diagnose and
fix the problem in their own software. He said that developers who want
to test if their sites are vulnerable to the vulnerability he discovered
can download the 18-byte exploit included in a
blog post detailing the vulnerability. He provided details for
Yahoobleed2 here.
Comments
Post a Comment