A security researcher alleges Yahoo won’t patch a hole he found in Messenger that attackers could exploit to produce a buffer overflow condition.
Researcher Julien Ahrens has published a blog post in which he outlines the details of the vulnerability he discovered and the subsequent interactions he had with Yahoo’s bug bounty program, which is hosted through HackerOne.
The hole (CVE-2014-7216) concerns Yahoo Messenger’s interpretation of emoticons. To determine which emoticons Messenger should substitute for a particular set of keystrokes, the application invokes “emoticons.xml.” If the file is found, its XML structure is parsed, and an individual emoticon replaces the user’s input based upon a unique numeric “id,” a “title” describing the emoticon, and “shortcut” key values that are string representations of the emoticon.
“The problem? The String values for ‘shortcut’ and ‘title’ are used in two different lstrcpyW calls during the parsing of the XML-file,” writes Ahrens. “It’s pretty obvious that this could lead to a nice buffer overflow condition if these values are oversized.”
Ahrens goes on to note that a “signature” key value protects emoticons.xml against man-in-the-middle (MitM) attacks but that it is downloaded during the login-process form. This means that if the signature does not match the content, the value is not downloaded and so the protective measures are actually not put in place.
The researcher submitted the vulnerability to Yahoo’s bug bounty program back in May of this year. However, the tech giant has allegedly refused to fix the hole for two reasons. First, Yahoo feels that the hole is “low severity” due to the fact that it is largely a local issue.
U.S. government industry think tank MITRE feels differently, as reported by The Register:
“Use CVE-2014-7216. In many cases, issues that require the victim to manually download a configuration file, and copy this file into a product-specific directory, are outside the scope of CVE because exploitation is not realistic. Here, emoticons.xml might be considered a configuration file for the set of emoticon images. However, as mentioned in the above smileys.rar example, there is an existence proof that third parties actually do offer sets of emoticon files including this related XML data, and presumably some Yahoo! Messenger users actually do copy these to the required %PROGRAMFILES% or %PROGRAMFILES(x86)% path by following third-party instructions such as on the http://www.tipsandtutorials.net/yahoo-messenger-11-hiden-emoticons.html web site.”
Second, while Messenger was supported under Yahoo’s bug bounty program at the time of Ahrens’ submission, the application was deemed end of life (EOL) a few months later, giving Yahoo’s security teams little motive to fix the vulnerability.
Yahoo has therefore declined to send Ahrens compensation for his discovery. This is despite the fact that it awarded $1 million to security researchers over the past year as part of its bug bounty program.
UPDATED (September 11, 2015 at 11:15 EDT): A spokesman for Yahoo! has reached out to The State of Security with the following statement:
“Yahoo takes the security of our users very seriously, and as soon as we learned of this potential vulnerability, our team responded to the security researcher and began an investigation. As the security researcher noted himself, “exploitation [of this vulnerability] might be tricky,” and would take significant additional technological hurdles. Upon extensive investigation by our team, we’ve determined that this vulnerability is not easily exploitable, requiring users to actively install unsupported 3rd-party software into Messenger, and does not present a viable security threat to our users. We’ll continue to work with our thriving bug bounty community to ensure the most secure experience possible for our users.”