Yahoo retires ImageMagick library after 18-byte exploit leaks user email content

Share this…

The simple line of code made it possible for attackers to view private Yahoo Mail images.

Yahoo has decided to retire the use of the ImageMagick library following a researcher’s disclosure of a simple way to break the system to cause email information leaks.

Last week, security researcher Chris Evans demonstrated the exploit and released the details of the security flaw to the public.

In a blog post, Evans said the so-called “Yahoobleed #1” (YB1) vulnerability is a way to slurp other users’ private Yahoo! Mail image attachments from Yahoo servers.

YBI utilizes a vulnerability found within the ImageMagick image processing software, an open-source image processor which provides the backbone for image handling used by many online services.

Unlike previous out-of-bounds server side memory content leaks, such as Heartbleed and Cloudbleed, Evans says that Yahoobleed makes use of uninitialized memory.

 “An uninitialized image decode buffer is used as the basis for an image rendered back to the client,” the researcher says. “This leaks server-side memory.”

“This type of vulnerability is fairly stealthy compared to an out-of-bounds read because the server will never crash,” Evans added. “However, the leaked secrets will be limited to those present in freed heap chunks.”

In a proof-of-concept (PoC) demonstration, the researcher attached an 18-byte exploit file as an email attachment, emailed it to himself, and then click on the image to launch the image preview pane in order to show how it is possible to compromise a Yahoo email account.

“The resulting JPEG image served to my browser is based on uninitialized, or previously freed, memory content,” Evans said.

The vulnerability lies in the obscure RLE (Utah Raster Toolkit Run Length Encoded) image format. An attacker could simply create a crafted RLE image, send it, and create a loop of empty protocol commands which prompts the information leak.

Yahoo did not implement any form of whitelisting for ImageMagick decoders which allowed such malicious files to slip through the net.

After submitting the one-line exploit to Yahoo, the tech giant decided that it was time to retire the open-source component altogether, rather than risk any other security flaws placing user emails at risk. The ImageMagick bug has been patched and Evans was awarded a bounty payment of $14,000.

After declaring his resolve to give the cash — a reward of $778 per byte — to charity, Yahoo doubled the amount to $28,000.

In March, four Russians were charged by the US Department of Justice (DoJ) with stealing the credentials of over 500 million user accounts from Yahoo.