”Yahoobleed" flaw leaked private e-mail attachments and credentials
Yahoo promptly retired ImageMagic library after failing to install 2-year-old patch.
5/22/2017
For years, Yahoo Mail has exposed a wealth of private user data because it failed to update widely used image-processing software that contained critical vulnerabilities. That's according to a security researcher who warned that other popular services are also likely to be leaking sensitive subscriber secrets.
Chris Evans, the researcher who discovered the vulnerabilities and reported them privately to Yahoo engineers, has dubbed them "Yahoobleed" because the vulnerabilities caused the site to bleed contents stored in server memory. The easy-to-exploit flaws resided in ImageMagick, an image-processing library that's supported by PHP, Ruby, NodeJS, Python, and about a dozen other programming languages. One version of Yahoobleed was the result of Yahoo failing to install a critical patch released in January 2015. A second Yahoobleed vulnerability was the result of a bug that ImageMagick developers fixed only recently after receiving a private report from Evans.
The vulnerability discovered by Evans could be exploited by e-mailing a maliciously manipulated image file to a Yahoo Mail address. After opening the 18-byte file, chunks of Yahoo server memory began leaking to the end user. Evans called this version of the attack "Yahoobleed1." "Yahoobleed2" worked by exploiting the vulnerability fixed in January 2015.
Together, the bugs allowed attackers to obtain browser cookies, authentication tokens, and private image attachments belonging to Yahoo Mail users. Despite Yahoo allowing one of the bugs to remain unpatched for 28 months, Evans praised company engineers for their speed and thoroughness in responding to his private report.
