Yahoo Mail Worm May Be First Of Many As Ajax Proliferates - InformationWeek
Software // Enterprise Applications
04:31 PM
Connect Directly
Ransomware: Latest Developments & How to Defend Against Them
Nov 01, 2017
Ransomware is one of the fastest growing types of malware, and new breeds that escalate quickly ar ...Read More>>

Yahoo Mail Worm May Be First Of Many As Ajax Proliferates

Companies are quickly embracing Ajax and related techniques for Web applications. Expect more security problems like the Yamanner worm along the way.

The Yamanner worm that infested Yahoo Mail was quickly countered by making a change to the Internet servers that administer Yahoo's popular email program. Nevertheless, over a 36-hour period, the world got a glimpse of what's in store for it unless stricter measures are followed in building Web applications.

Yahoo Mail relied on a JavaScript function in connection with uploading images from a message to their mail server. Yahoo Mail made limited use of Ajax to spur interactions between the mail user and Yahoo's servers. The Yamanner worm exploited one of the few JavaScript functions that Yahoo Mail didn't already screen out, the ability to execute JavaScript in connection with directions to upload an image from a user's mail message. The worm substituted its own JavaScript commands where the image-handling code was meant to go.

JavaScript is a key component of Ajax, a set of technologies that is being used more and more frequently for Web applications. Yahoo uses Ajax in its Yahoo Calendar, Yahoo Sports and Yahoo Photos and its Flickr, an end user photo editing page, as well as Yahoo Mail.

"This kind of worm shouldn't be a surprise to anyoneWe can expect to continue to see viruses" as long as Web sites and enterprises are implementing Ajax applications without understanding their vulnerabilities, said David Wagner, assistant professor of computer science at the University of California at Berkeley, in an email explanation of what happened. Without careful, designed-in security, Web applications using Ajax will open many additional doors to malicious code writers. The worm in Yahoo Mail, dubbed Yamanner, was able to send a request from the user's computer to a Yahoo Mail server, seeking the names in the user's address book. It then composed a message to all those names and sent them out as a means of spreading itself, as recipients opened their messages.

Unlike previous worms, it did not travel in the form of an attachment or require the user to click on a link or icon. Merely opening a message from an infect source exposed the user, and within seconds, all the names in the user's address book.

Yahoo Mail is displayed in the user's browser Window, and browsers are designed to execute any JavaScript they find in an HTML page or message. As Yamanner recipients opened their messages, there was no outward sign for the user that anything was amiss. The Yamanner worm didn't need an image to be included with a message to do its work. The JavaScript executes in background, the browser performs no checks on whether it is performing the expected function or not, and the worm shows no telltale of its activity on the user's screen, except a possible slowdown in other activities.

In addition to ordering the user's computer to query the Yahoo mail server for the user's address book, generate a message and send them out to each name in the address book, Yamanner also captured the addresses and uploaded them to a still unidentified Web site. By doing so, it was building an email list with many thousands of names that could be sold to spammers, note Web security experts.

Why would one of the world's largest email suppliers leave such an exposure in its Web service? Yahoo couldn't be reached for comment, but probably because, like other Ajax-based functions, it was useful to its email users.

"The problem isn't that Yahoo is incompetent. The problem is that filtering JavaScript to make it safe is very, very hard," said Wagner. "JavaScript gives the attacker the advantages, and the defenders have to work very hard to make up for that." Not only is hard to defend against misuse of JavaScript, it's easy for skilled hackers to find the openings. A hacker sending test messages to himself through Yahoo mail could insert harmless JavaScript in various places until he finds something that works, said Gary McGraw, chief technology officers of security consultanting firm, Cigital. The JavaScript might do something as show a pop-up box on his screen with the message, JavaScript running. It might take several tries, but by the time he inserted the JavaScript as a substitute for the upload image function in Yahoo Mail, he would have had a pop-up indicator that he had found his hole.

"You don't have to be that clever. It's pretty easy," said McGraw.

Once discovered, such an opening is often shared with other hackers and several forms of attack materialize on the exposure at once. In Yahoo's case, the hole appears to have been filled before additional attackers could exploit it. Future vulnerabilities are likely to be found in mash-ups, the combination of a known service based on Ajax, such as Google Maps, and some service added on top of them. Google Maps is widely used in online services, including apartment hunting sites.

"JavaScript was dangerous before Ajax came around," noted Billy Hoffman, lead R&D researcher at SPI Dynamics Inc., a computer security firm. With the addition of Ajax functionality in many other Web applications, the problem is going to get worse before it gets better, he said.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
[Interop ITX 2017] State Of DevOps Report
[Interop ITX 2017] State Of DevOps Report
The DevOps movement brings application development and infrastructure operations together to increase efficiency and deploy applications more quickly. But embracing DevOps means making significant cultural, organizational, and technological changes. This research report will examine how and why IT organizations are adopting DevOps methodologies, the effects on their staff and processes, and the tools they are utilizing for the best results.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of IT Report
In today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll