Results 1 to 6 of 6

Thread: Firefox/Ubuntu not immune to Yahoo! mail exploit

  1. #1
    Join Date
    Nov 2012
    Beans
    2

    Exclamation Firefox/Ubuntu not immune to Yahoo! mail exploit

    [Update at 20:08 EST: Dan Veditz from the Mozilla team responded "We looked at the URL and don't think it was a Firefox exploit." He mentioned ads and Flash that might make a Windows machine vulnerable, but not Linux.]

    [Update at 22:13 EST: Time line appears to exonerate Firefox and Ubuntu-specific exploits. His machine does not appear to have been compromised. The issue appears to involve Yahoo! mail authentication.

    Using browser history, output of the last command, and timestamps from my friend's Yahoo! account, my friend and I reconstructed the following time line:
    Yesterday, 8:10 AM: Yahoo! records a normal login to his Yahoo! mail account from his home state.

    Yesterday, ~11 PM: A email is delivered to his Yahoo! mail account from a correspondent using an email account hosted by Yahoo! (@sbcglobal.net)

    Today, before 8 AM: He checks his email, reads the bogus email and clicks the link for the phony MSNBC article and from it, visits the Home Cash Profits page.

    Around 9:15 AM: He turns off his computer.

    9:49-9:57 AM: The spam emails are sent from his Yahoo! mail account (and end up in his Sent Mail folder).

    After 2:00 PM: He turns on his computer, checks his email, and finds many bounces in response to the spam sent earlier.

    8:53 PM: Yahoo! records a normal login to his account from his home state.
    The message sent to me includes the following headers:
    Received: from [109.251.20.47] by web160302.mail.bf1.yahoo.com via HTTP; Wed, 14 Nov 2012 06:56:10 PST
    X-Mailer: YahooMailWebService/0.8.123.460
    Code:
    > host 109.251.20.47
    47.20.251.109.in-addr.arpa domain name pointer 109.251.20.47.freenet.com.ua.
    > mtr -c 1 -r 109.251.20.47 | tail -n 4
     12. freenet-gw2-w.kiev.top.net.u  0.0%     1  153.9 153.9 153.9 153.9   0.0
     13. W307.core2.lv-kv.freenet.ua   0.0%     1  165.2 165.2 165.2 165.2   0.0
     14. lv.core.freenet.com.ua        0.0%     1  162.5 162.5 162.5 162.5   0.0
     15. ???                          100.0     1    0.0   0.0   0.0   0.0   0.0
    .ua is the TLD for Ukraine. When I had him "View his recent sign-in activity" in Yahoo!, all logins back through October 29 were from his home state.

    His computer was off when the spam was sent. No additional logins were recorded on the Yahoo! mail account. It appears that the auth token (cookie) is leaking somehow.

    End update]


    I set up a friend on Ubuntu 10.04.4 LTS, which runs Firefox 16.0.2.

    This morning he received an email in his Yahoo! account from someone with whom he's previously exchanged email. The email looked something like this:
    Subject: RE:[his first name] Hey

    check this out when you get a chance [URL omitted]
    He viewed the webpage. The URL was (poorly) disguised to appear as if it was a news article on MSNBC. He also viewed the page for Home Cash Profits which was the focus of the bogus news article.

    Subsequently, his Yahoo account filled with bounces from people in his address book, the body text of which resembled the message above. He normally can access Yahoo! mail without a password, since he checks "stay logged in" or whatever the option is to receive an auth token in a cookie. I think his Yahoo! password is saved in Firefox as well.

    I received one of the bogus emails from my friend, which Gmail flagged as phishing (my friend reports that Yahoo! did not flag the email in any way). When using Gmail's Show original option there doesn't appear to be any payload, unless it somehow exploits the X-YMail-OSG header and is very small. The following header is present in the bogus mail from my friend:
    Message-ID: <1352904970.97677.androidMobile@web160302.mail.bf1 .yahoo.com>
    My friend runs the Ubuntu version listed above on a laptop, and doesn't own an Android device.

    It would appear that the exploit is hosted on the web page which is sent in the email. The web page was up within the last 30 minutes (14 November, ~16:00 EST). I've included the URL below, trivially rot-13 encoded to protect the unwary.

    WARNING: Do NOT decode and visit this URL unless you know what you are doing!
    uggc://zfaop.zfa.pbz-arjf9.hf/wbof/
    Again, the above encoded URL can exploit Yahoo! mail accounts accessed from Firefox 16.0.2 running on Ubuntu 10.04.4 LTS. Google searches for the URL also turn up some blog comment spam.

    I don't have the time to look into this, so I would appreciate some assistance from the experts.

    I've instructed my friend to unplug his ethernet cable and keep his computer offline until we can resolve the situation.

    Update at 16:56 EST: The URL is still live. Reported the site as a web forgery (using Firefox's built-in tool which reports to Google) and sent an email to Firefox security pointing to this thread.

    Update at 17:48 EST: It's possible that this is a Yahoo! mail-specific exploit. My friend has in the past corresponded by email with the person whose account sent the bogus email, who was then using a @sbcglobal.net address. www.sbcglobal.net redirects to att.yahoo.com which is branded att.net but says "Powered by Yahoo!" The Check mail link on that page shows login.yahoo.com. Since my friend's computer is now offline, we can't check Yahoo! mail to see the return address used on the bogus email he received.

    Update at 18:21 EST: A tar bzipped copy of the webpage saved using "Save Page As..." in Firefox 16.0.2 is available here: https://sites.google.com/site/tod222/possibly_malicious_webpage_saved_for_forensic_exam .tbz

    Update at 19:34 EST: Title changed from "Active in-the-wild exploit for Firefox/Ubuntu"
    Last edited by tod222; November 15th, 2012 at 04:51 AM. Reason: Update to time line

  2. #2
    Join Date
    Mar 2011
    Beans
    665

    Re: Active in-the-wild exploit for Firefox/Ubuntu

    Sounds like CSRF, Clickjacking, or XSS. Probably one of the first two. In this case it's a browser exploit/ website exploit (bypassing XSS filter/ same origin policy).

    I can't take a look at that link right now because I'm not on a safe machine so I'm only guessing. This would be an OS independent attack.

  3. #3
    Join Date
    Aug 2009
    Beans
    Hidden!

    Re: Firefox/Ubuntu not immune to Yahoo! mail exploit

    Quote Originally Posted by tod222 View Post
    uggc://zfaop.zfa.pbz-arjf9.hf/wbof/
    Jsunpack, vURL and Anubis for main link (48 scripts, 5 I-frames):
    http://jsunpack.jeek.org/?report=d6c...749db2f5b07ccf
    http://vurldissect.co.uk/?url=1731931
    http://anubis.iseclab.org/?action=re...c4e&call=first

    Jsunpack, vURL, Anubis and Wepawet for uk.travel.yahoo.com I-frame (18 scripts):
    http://jsunpack.jeek.org/?report=d25...3706883f1be8d8
    http://vurldissect.co.uk/?url=1731934
    http://anubis.iseclab.org/?action=re...a64&call=first
    http://wepawet.iseclab.org/view.php?...983675&type=js

    None are reported as malicious.


    Quote Originally Posted by tod222 View Post
    Title changed from "Active in-the-wild exploit for Firefox/Ubuntu"
    WD for changing the thread title into something less sensationalist.

  4. #4
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Firefox/Ubuntu not immune to Yahoo! mail exploit

    Quote Originally Posted by unspawn View Post
    WD for changing the thread title into something less sensationalist.
    Changed the title of the thread to the title of the OP.

    Could be all sorts of things, but I doubt it is an exploit in Firefox itself.

    My first thought is they grabbed the auth token or cookie and used that to login, but I don't really know for sure.
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  5. #5
    Join Date
    Nov 2012
    Beans
    2

    Re: Firefox/Ubuntu not immune to Yahoo! mail exploit

    Quote Originally Posted by CharlesA View Post
    Changed the title of the thread to the title of the OP.
    Great, thanks.
    Quote Originally Posted by CharlesA View Post
    My first thought is they grabbed the auth token or cookie and used that to login, but I don't really know for sure.
    Yes, it seems like that's what happened.

  6. #6
    Join Date
    Nov 2009
    Beans
    919
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Firefox/Ubuntu not immune to Yahoo! mail exploit

    Found an article this morning that explains what's most likely going on in this situation. As most of us thought, the bug is not on the client side. This is something Yahoo has to find and fix.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •