Firefox/Ubuntu not immune to Yahoo! mail exploit
[Update at 20:08 EST: Dan Veditz from the Mozilla team responded "We looked at the URL and don't think it was a Firefox exploit." He mentioned ads and Flash that might make a Windows machine vulnerable, but not Linux.]
[Update at 22:13 EST: Time line appears to exonerate Firefox and Ubuntu-specific exploits. His machine does not appear to have been compromised. The issue appears to involve Yahoo! mail authentication.
Using browser history, output of the last command, and timestamps from my friend's Yahoo! account, my friend and I reconstructed the following time line: Yesterday, 8:10 AM: Yahoo! records a normal login to his Yahoo! mail account from his home state.
Yesterday, ~11 PM: A email is delivered to his Yahoo! mail account from a correspondent using an email account hosted by Yahoo! (@sbcglobal.net)
Today, before 8 AM: He checks his email, reads the bogus email and clicks the link for the phony MSNBC article and from it, visits the Home Cash Profits page.
Around 9:15 AM: He turns off his computer.
9:49-9:57 AM: The spam emails are sent from his Yahoo! mail account (and end up in his Sent Mail folder).
After 2:00 PM: He turns on his computer, checks his email, and finds many bounces in response to the spam sent earlier.
8:53 PM: Yahoo! records a normal login to his account from his home state.
The message sent to me includes the following headers:Received: from [109.251.20.47] by web160302.mail.bf1.yahoo.com via HTTP; Wed, 14 Nov 2012 06:56:10 PST
X-Mailer: YahooMailWebService/0.8.123.460
Code:
> host 109.251.20.47
47.20.251.109.in-addr.arpa domain name pointer 109.251.20.47.freenet.com.ua.
> mtr -c 1 -r 109.251.20.47 | tail -n 4
12. freenet-gw2-w.kiev.top.net.u 0.0% 1 153.9 153.9 153.9 153.9 0.0
13. W307.core2.lv-kv.freenet.ua 0.0% 1 165.2 165.2 165.2 165.2 0.0
14. lv.core.freenet.com.ua 0.0% 1 162.5 162.5 162.5 162.5 0.0
15. ??? 100.0 1 0.0 0.0 0.0 0.0 0.0
.ua is the TLD for Ukraine. When I had him "View his recent sign-in activity" in Yahoo!, all logins back through October 29 were from his home state.
His computer was off when the spam was sent. No additional logins were recorded on the Yahoo! mail account. It appears that the auth token (cookie) is leaking somehow.
End update]
I set up a friend on Ubuntu 10.04.4 LTS, which runs Firefox 16.0.2.
This morning he received an email in his Yahoo! account from someone with whom he's previously exchanged email. The email looked something like this:Subject: RE:[his first name] Hey
check this out when you get a chance [URL omitted]
He viewed the webpage. The URL was (poorly) disguised to appear as if it was a news article on MSNBC. He also viewed the page for Home Cash Profits which was the focus of the bogus news article.
Subsequently, his Yahoo account filled with bounces from people in his address book, the body text of which resembled the message above. He normally can access Yahoo! mail without a password, since he checks "stay logged in" or whatever the option is to receive an auth token in a cookie. I think his Yahoo! password is saved in Firefox as well.
I received one of the bogus emails from my friend, which Gmail flagged as phishing (my friend reports that Yahoo! did not flag the email in any way). When using Gmail's Show original option there doesn't appear to be any payload, unless it somehow exploits the X-YMail-OSG header and is very small. The following header is present in the bogus mail from my friend:Message-ID: <1352904970.97677.androidMobile@web160302.mail.bf1 .yahoo.com>
My friend runs the Ubuntu version listed above on a laptop, and doesn't own an Android device.
It would appear that the exploit is hosted on the web page which is sent in the email. The web page was up within the last 30 minutes (14 November, ~16:00 EST). I've included the URL below, trivially rot-13 encoded to protect the unwary.
WARNING: Do NOT decode and visit this URL unless you know what you are doing!uggc://zfaop.zfa.pbz-arjf9.hf/wbof/
Again, the above encoded URL can exploit Yahoo! mail accounts accessed from Firefox 16.0.2 running on Ubuntu 10.04.4 LTS. Google searches for the URL also turn up some blog comment spam.
I don't have the time to look into this, so I would appreciate some assistance from the experts.
I've instructed my friend to unplug his ethernet cable and keep his computer offline until we can resolve the situation.
Update at 16:56 EST: The URL is still live. Reported the site as a web forgery (using Firefox's built-in tool which reports to Google) and sent an email to Firefox security pointing to this thread.
Update at 17:48 EST: It's possible that this is a Yahoo! mail-specific exploit. My friend has in the past corresponded by email with the person whose account sent the bogus email, who was then using a @sbcglobal.net address. www.sbcglobal.net redirects to att.yahoo.com which is branded att.net but says "Powered by Yahoo!" The Check mail link on that page shows login.yahoo.com. Since my friend's computer is now offline, we can't check Yahoo! mail to see the return address used on the bogus email he received.
Update at 18:21 EST: A tar bzipped copy of the webpage saved using "Save Page As..." in Firefox 16.0.2 is available here: https://sites.google.com/site/tod222/possibly_malicious_webpage_saved_for_forensic_exam .tbz
Update at 19:34 EST: Title changed from "Active in-the-wild exploit for Firefox/Ubuntu"
Re: Active in-the-wild exploit for Firefox/Ubuntu
Sounds like CSRF, Clickjacking, or XSS. Probably one of the first two. In this case it's a browser exploit/ website exploit (bypassing XSS filter/ same origin policy).
I can't take a look at that link right now because I'm not on a safe machine so I'm only guessing. This would be an OS independent attack.
Re: Firefox/Ubuntu not immune to Yahoo! mail exploit
Quote:
Originally Posted by
tod222
uggc://zfaop.zfa.pbz-arjf9.hf/wbof/
Jsunpack, vURL and Anubis for main link (48 scripts, 5 I-frames):
http://jsunpack.jeek.org/?report=d6c...749db2f5b07ccf
http://vurldissect.co.uk/?url=1731931
http://anubis.iseclab.org/?action=re...c4e&call=first
Jsunpack, vURL, Anubis and Wepawet for uk.travel.yahoo.com I-frame (18 scripts):
http://jsunpack.jeek.org/?report=d25...3706883f1be8d8
http://vurldissect.co.uk/?url=1731934
http://anubis.iseclab.org/?action=re...a64&call=first
http://wepawet.iseclab.org/view.php?...983675&type=js
None are reported as malicious.
Quote:
Originally Posted by
tod222
Title changed from "Active in-the-wild exploit for Firefox/Ubuntu"
WD for changing the thread title into something less sensationalist.
Re: Firefox/Ubuntu not immune to Yahoo! mail exploit
Quote:
Originally Posted by
unspawn
WD for changing the thread title into something less sensationalist.
Changed the title of the thread to the title of the OP.
Could be all sorts of things, but I doubt it is an exploit in Firefox itself.
My first thought is they grabbed the auth token or cookie and used that to login, but I don't really know for sure.
Re: Firefox/Ubuntu not immune to Yahoo! mail exploit
Quote:
Originally Posted by
CharlesA
Changed the title of the thread to the title of the OP.
Great, thanks.
Quote:
Originally Posted by
CharlesA
My first thought is they grabbed the auth token or cookie and used that to login, but I don't really know for sure.
Yes, it seems like that's what happened.
Re: Firefox/Ubuntu not immune to Yahoo! mail exploit
Found an article this morning that explains what's most likely going on in this situation. As most of us thought, the bug is not on the client side. This is something Yahoo has to find and fix.