Thursday, December 29, 2005
Iframes in Yahoo Groups
SpamHuntress wrote about this problem yesterday. She found that Yahoo allows iframe tags inserted into Yahoo Groups by an administrator.
Since originally posting, we have been working on showing it was also possible to insert an iframe from a user submitted message, not only administrator inserted code. Here are my examples showing the iframe vulnerability in a message posted by a user by email and from the Groups interface.
This is not a new problem. Some people believe the real weakness lies with internet browsers. In a way it does, but then you could say the real vulnerability is the existance of the iframe tag itself. But iframes when used properly can be useful. They aren't really necessary for website design, but they aren't going away. If you use AdSense you are probably using iframes and don't even know it. Do you want to tell Google they can't use iframes anymore? The real solution is to filter user submitted content. That doesn't prevent all malicious uses of iframes, but what spammers and scammers do on their own site is a different problem.
Similar iframe vulnerabilities can be found in other forum software, but Yahoo is a large service that I think can give users a false sense of security. They may believe they are on a trusted site while under the yahoo.com domain. Yahoo should do whatever they can to protect their users. They do prevent javascript from being run from a message so they clearly understand that user content can be dangerous. They just missed this one. Hopefully they fix it soon.
Since originally posting, we have been working on showing it was also possible to insert an iframe from a user submitted message, not only administrator inserted code. Here are my examples showing the iframe vulnerability in a message posted by a user by email and from the Groups interface.
This is not a new problem. Some people believe the real weakness lies with internet browsers. In a way it does, but then you could say the real vulnerability is the existance of the iframe tag itself. But iframes when used properly can be useful. They aren't really necessary for website design, but they aren't going away. If you use AdSense you are probably using iframes and don't even know it. Do you want to tell Google they can't use iframes anymore? The real solution is to filter user submitted content. That doesn't prevent all malicious uses of iframes, but what spammers and scammers do on their own site is a different problem.
Similar iframe vulnerabilities can be found in other forum software, but Yahoo is a large service that I think can give users a false sense of security. They may believe they are on a trusted site while under the yahoo.com domain. Yahoo should do whatever they can to protect their users. They do prevent javascript from being run from a message so they clearly understand that user content can be dangerous. They just missed this one. Hopefully they fix it soon.