Yahoo discontinued using ImageMagick because of the YahooBleed vulnerability
Yahoo has decided to stop using ImageMagick, after a security researcher discovered a flaw that allowed Yahoo Mail access to a single line of code.
Security researcher Chris Evans has uncovered and publicly disclosed the Yahoobleed vulnerability on his personal blog, according to Thehackernews. Evans describes YahooBleed # 1 (YB1) as a way for hackers to access Yahoo Mail attachments from Yahoo servers.
YB1 exploits a flaw in ImageMagick - an open-source image processing library that allows users to resize, crop, fade or edit images. It is supported by PHP, Python, Ruby, Perl, C ++ and many other programming languages. This popular image-processing library was featured last year in connection with the zero-day vulnerability, ImageTragick, which allowed hackers to transmit malicious code on a web server by uploading malicious images.
. Yahoo Login
. Yahoo Mail Tips
Unlike other user-leaked information leaks such as Heartbleed and Cloudbleed, Evans says that Yahoobleed uses an inactive memory partition, where a pre-rendered image buffers the image back to the client, Leaks server memory.
To prove the study, Evans inserted the 18 byte extraction code into a file and attached it in an email to his own email. When the image attachment is clicked, it will launch the image preview, allowing the service to display the image portion that still exists in the server memory instead of the original image. Explaining the problem, Evans said that the JPEG image displayed in the browser is based on memory that has not been activated or previously released.
According to Evans, the vulnerability is in the RLE (Utah Raster Toolkit Run Length Encoded) format. An attacker simply creates a RLE image manually, sends it and creates a loop of empty protocol commands that leaks information out.
After Evans announced the vulnerability to Yahoo, the technology giant has made a decision to "park" the ImageMagick open source library to avoid any future vulnerabilities that affect users. .
Evans has received a $ 14,000 reward from Yahoo for helping to spot the ImageMagick vulnerability. However, the value of the prize was doubled Yahoo to 28,000 dollars after knowing that Evans had the honor to bring the money received to charity.
Security researcher Chris Evans has uncovered and publicly disclosed the Yahoobleed vulnerability on his personal blog, according to Thehackernews. Evans describes YahooBleed # 1 (YB1) as a way for hackers to access Yahoo Mail attachments from Yahoo servers.
YB1 exploits a flaw in ImageMagick - an open-source image processing library that allows users to resize, crop, fade or edit images. It is supported by PHP, Python, Ruby, Perl, C ++ and many other programming languages. This popular image-processing library was featured last year in connection with the zero-day vulnerability, ImageTragick, which allowed hackers to transmit malicious code on a web server by uploading malicious images.
. Yahoo Login
. Yahoo Mail Tips
Unlike other user-leaked information leaks such as Heartbleed and Cloudbleed, Evans says that Yahoobleed uses an inactive memory partition, where a pre-rendered image buffers the image back to the client, Leaks server memory.
To prove the study, Evans inserted the 18 byte extraction code into a file and attached it in an email to his own email. When the image attachment is clicked, it will launch the image preview, allowing the service to display the image portion that still exists in the server memory instead of the original image. Explaining the problem, Evans said that the JPEG image displayed in the browser is based on memory that has not been activated or previously released.
According to Evans, the vulnerability is in the RLE (Utah Raster Toolkit Run Length Encoded) format. An attacker simply creates a RLE image manually, sends it and creates a loop of empty protocol commands that leaks information out.
After Evans announced the vulnerability to Yahoo, the technology giant has made a decision to "park" the ImageMagick open source library to avoid any future vulnerabilities that affect users. .
Evans has received a $ 14,000 reward from Yahoo for helping to spot the ImageMagick vulnerability. However, the value of the prize was doubled Yahoo to 28,000 dollars after knowing that Evans had the honor to bring the money received to charity.
Nhận xét
Đăng nhận xét