14 DAY TRIAL // Yahoo is once more at the center of a security scandal after an ImageMagick library exploit was found leaking user email content.
The discovery was made by security researcher Chris Evans, who demonstrated the exploit, showing just how easy it was to break Yahoo's system to trigger email information leaks. Yahoo has since retired the use of the ImageMagick library.
Evans discovered two ways to get the result he wanted. Yahoobleed1, the first version, involved exploiting the vulnerability in ImageMagick by emailing a maliciously manipulated image file to a Yahoo Mail address. Once the 18-byte file was opened, Yahoo server memory chunks were leaking to the end user. The second version, Yahoobleed2, worked by exploiting the vulnerability.
The problem here is that ImageMagick, an image-processing library that's supported by dozens of programming languages, was suffering from a vulnerability. Its developers released a critical patch for this problem back in January 2015, a patch that Yahoo failed to install. The second Yahoobleed vulnerability Evans discovered was the result of a bug he found in the same tool and which the developers fixed recently after the researcher reported it.
A problematic vulnerability
"The previous *bleed vulnerabilities have typically been out-of-bounds reads, but this one is the use of uninitialized memory. An uninitialized image decode buffer is used as the basis for an image rendered back to the client. This leaks server side memory. This type of vulnerability is fairly stealthy compared to an out-of-bounds read because the server will never crash. However, the leaked secrets will be limited to those present in freed heap chunks," Evans explains in a blog post.
Evans reported the issue to Yahoo via its bug bounty program. Once the bug is received, the company has a self-imposed (and industry-wide-accepted) deadline of 90 days to fix things. Yahoo went ahead and retired ImageMagick completely.
The researcher was rewarded $14,000 for his troubles, which he will donate to charity. Yahoo will match the donation, so $28,000 will be going to a yet-unnamed charity.