Yahoo Mail relied on a JavaScript function in connection with uploading images from a message to their mail server. Yahoo Mail made limited use of Ajax to spur interactions between the mail user and Yahoo's servers. The Yamanner worm exploited one of the few JavaScript functions that Yahoo Mail didn't already screen out, the ability to execute JavaScript in connection with directions to upload an image from a user's mail message. The worm substituted its own JavaScript commands where the image-handling code was meant to go.
JavaScript is a key component of Ajax, a set of technologies that is being used more and more frequently for Web applications. Yahoo uses Ajax in its Yahoo Calendar, Yahoo Sports and Yahoo Photos and its Flickr, an end user photo editing page, as well as Yahoo Mail.
"This kind of worm shouldn't be a surprise to anyoneWe can expect to continue to see viruses" as long as Web sites and enterprises are implementing Ajax applications without understanding their vulnerabilities, said David Wagner, assistant professor of computer science at the University of California at Berkeley, in an email explanation of what happened. Without careful, designed-in security, Web applications using Ajax will open many additional doors to malicious code writers. The worm in Yahoo Mail, dubbed Yamanner, was able to send a request from the user's computer to a Yahoo Mail server, seeking the names in the user's address book. It then composed a message to all those names and sent them out as a means of spreading itself, as recipients opened their messages.
Unlike previous worms, it did not travel in the form of an attachment or require the user to click on a link or icon. Merely opening a message from an infect source exposed the user, and within seconds, all the names in the user's address book.
Yahoo Mail is displayed in the user's browser Window, and browsers are designed to execute any JavaScript they find in an HTML page or message. As Yamanner recipients opened their messages, there was no outward sign for the user that anything was amiss. The Yamanner worm didn't need an image to be included with a message to do its work. The JavaScript executes in background, the browser performs no checks on whether it is performing the expected function or not, and the worm shows no telltale of its activity on the user's screen, except a possible slowdown in other activities.
In addition to ordering the user's computer to query the Yahoo mail server for the user's address book, generate a message and send them out to each name in the address book, Yamanner also captured the addresses and uploaded them to a still unidentified Web site. By doing so, it was building an email list with many thousands of names that could be sold to spammers, note Web security experts.
Why would one of the world's largest email suppliers leave such an exposure in its Web service? Yahoo couldn't be reached for comment, but probably because, like other Ajax-based functions, it was useful to its email users.
"The problem isn't that Yahoo is incompetent. The problem is that filtering JavaScript to make it safe is very, very hard," said Wagner. "JavaScript gives the attacker the advantages, and the defenders have to work very hard to make up for that." Not only is hard to defend against misuse of JavaScript, it's easy for skilled hackers to find the openings. A hacker sending test messages to himself through Yahoo mail could insert harmless JavaScript in various places until he finds something that works, said Gary McGraw, chief technology officers of security consultanting firm, Cigital. The JavaScript might do something as show a pop-up box on his screen with the message, JavaScript running. It might take several tries, but by the time he inserted the JavaScript as a substitute for the upload image function in Yahoo Mail, he would have had a pop-up indicator that he had found his hole.
"You don't have to be that clever. It's pretty easy," said McGraw.
Once discovered, such an opening is often shared with other hackers and several forms of attack materialize on the exposure at once. In Yahoo's case, the hole appears to have been filled before additional attackers could exploit it. Future vulnerabilities are likely to be found in mash-ups, the combination of a known service based on Ajax, such as Google Maps, and some service added on top of them. Google Maps is widely used in online services, including apartment hunting sites.
"JavaScript was dangerous before Ajax came around," noted Billy Hoffman, lead R&D researcher at SPI Dynamics Inc., a computer security firm. With the addition of Ajax functionality in many other Web applications, the problem is going to get worse before it gets better, he said.
