XSS+Ajax worm attacking Yahoo mail users

Published 13 June 06 04:58 PM | Billy 

At the beginning of the week, Yahoo was attacked by a worm that propagates using nothing but JavaScript and Ajax. I've been giving interviews to the press all day and talked with the FBI about the worm, so let me take a moment to fill you all in.
 
Cross Site Scripting (XSS) is a really big problem that most people don’t take seriously enough. In the past XSS was mainly used for cookie theft, session hijacking, petty vandalism, or to just be annoying. But Ajax, with its ability to make HTTP connection from JavaScript without user intervention makes XSS much more dangerous. SPI has been in the forefront in researching the dangers of XSS+Ajax. I spoke at the Toorcon security conference in September 2005 about the dangers of this blended threat (see slides here) The MySpace worm, also known as the Samy worm of October 2005 was the first public use of XSS and Ajax.

Here is how the worm works:

A victim opens an email message inside of Yahoo’s web-based email system. This email message contains an HTML IMG tag. This IMG tag contains an onload attribute which contains JavaScript that will execute when the image has finished loading. This JavaScript does several things:

  • Uses XmlHttpRequest to fetch the victim’s address book
  • Scraps out all email addresses in the address book for yahoo.com addresses.
  • Uses XmlHttpRequest  to grab a “crumb” which is a token required to send email
  • Uses XmlHttpRequest to send a email infected with the worm to everyone in the victim’s addressbook who has a yahoo.com email address
  • Sends the harvested email addresses to a 3rd party, presumably for spamming purposes.

How did this happen? Well, Yahoo failed to perform proper input validation.They didn’t strip out all the different HTML attributes that allows script to execute.

Since Yahoo has fixed the problem, I've attached the source code for the worm to this post. It's quite a learning experience to examine for yourselves. You can see it is quite small and uses only 3 Ajax calls to send infected email to everyone in your address book.

Update: The virus scanner running on out server keeps deleting the virus. I have encoded the virus with ROT13 to prevent the virus scanner from flagging it. You will need to use a site like this to decode the source code and read the virus.

Filed under: , ,
Attachment(s): Yamanner.js - ROT13.txt

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

No Comments

Leave a Comment

(required) 
(optional)
(required) 

About Billy

Billy Hoffman is the lead researcher for SPI Labs.