Post by: Paul Ducklin | Sophos Naked Security | Published on: 12/09/2016
This stripping process is known an input sanitising, for obvious reasons.
Missing a trick
Almost a year ago, security researcher Jouko Pynnönen of Finnish company Klikki Oy figured out a way to do just that in Yahoo mail.
(In cases like this, the name cross-site is a slight misnomer, because the original script doesn’t come from another website, but the term XSS fits well enough and is used nevertheless.)
…whereupon it would infect the recipient’s signature settings, and so on: a true self-spreading virus.
Pynnönen told Yahoo on the second day of Christmas (26 December 2015); Yahoo fixed it by Twelfth Night (06 January 2016) before anyone else could find it and abuse it; the world was safe; and Pynnönen was awarded $10,000 for his troubles.
One year on
Fast forward one year, and Pynnönen figured he might as well try again.
Unfortunately (or fortunately, given that he once again told Yahoo privately so that the problem could quickly be fixed), he found a different way to do much the same thing.
This time, he played around with Yahoo’s email feature called Share files from cloud providers.
He found that when he fed this Yahoo link-sharing option with a URL, it built the URL into a fragment of HTML that was then included in the email that was sent.
He couldn’t control the HTML that was wrapped around his URL, but he noticed that if he used a YouTube URL, Yahoo seemed to accept it blindly, apparently without sanitising it.
Bingo: cross-site scripting, or XSS.
(As we explained above, XSS is where an untrusted script from source Y is treated as though it came from site X and is therefore imbued with the right to interact fully with site X.)
In other words, Pynnönen could have pulled off an email signature virus attack all over again.
What to do?
You don’t need to do anything, because the bug was in Yahoo’s code and was therefore Yahoo’s to fix.
Just like last year, Pynnönen told Yahoo privately and Yahoo, to its credit, has already fixed it.
And, just like last year, he received $10,000 – not a bad Christmas present!
Reference Article: https://nakedsecurity.sophos.com/2016/12/09/how-one-man-could-have-set-loose-a-yahoo-mail-virus/