A Medireview Approach To Stopping E-Mail Attacks 267
dcsmith writes: "This article at the Need To Know web site reports that the free(as in beer) e-mail arm of Yahoo has been replacing certain words in messages received by yahoo.com e-mail accounts. In an apparent attempt to forestall cross-site scripting attacks, 'mocha' becomes 'espresso' and 'free expression' becomes 'free statement'... My personal favorite - since medieval contains the text "eval", it is altered to 'medireview' ... Check Google for the number of web sites containing medireview." Kwelstr points to this story at New Scientist as well.
My words not thiers (Score:3, Interesting)
Re:My words not thiers (Score:2, Funny)
Verified? (Score:2)
Nothing got changed, did anyone even verify this?
Re:Verified? (Score:2)
Re:Verified? (Score:2, Informative)
While I would commend Yahoo! for at least trying to protect their users, it would seem like doing this without some kind of notice or disclaimer kinda sucks ass.
Re:Verified? (Score:2)
Yes, it does change it. Oddly enough, they apparently got smart enough to stop switching "evaluate" out though.
Re:Verified? (Score:2)
Wow (Score:5, Funny)
Flaunting my classical education... (Score:2)
[from the Latin, medius middle + aevum age]
Re:Wow (Score:2)
Also, there are a number of cases of "mediaeval" being converted to "mediareview". So it's not just the medical review people who are affected by this, but also anyone reviewing the media.
I wonder if Senator Hollings or the RIAA have heard about this?
Also, do you think we could get Yahoo classified as terrorists for hacking the contents of email messages with medical effects? Note that some of these effects will be long-term (chronic), due to the thousands of web pages that are already infected.
Enh? (Score:5, Interesting)
Even if there's some great effect, wouldn't it be easy to replace the word only if it appeared in a script? Or does IE extend it's baffling type guessing [microsoft.com] to parts of documents as well?
Re:Enh? (Score:4, Interesting)
Having developed a filter for my last employer's web-based email system that does exactly that, the answer to that question is no. If every person and everything that produced HTML were to output strictly formatted HTML with little or no variation, then yes, it would be simple. The real problem lies in writing code that will catch every occurrence of your problem, whether its embedded in a URL, inside of a script block, or just referenced as a hyperlink. This obviously isn't to say it hasn't been done, and done successfully, its just to say that, in practice, its no simple task.
Re:Sounds like a crap hack (Score:2)
Re:Enh? (Score:3, Funny)
No, nothing like that.
"mocha" is what javascript was called before the big java hype. You'd want to replace "mocha" for the same reason you want to replace "javascript", as many browsers will still treat the two the same for backwards-compatiblity reasons.
-Bill
Re:Enh? (Score:2)
Low Brow Solution (Score:2, Insightful)
Re:Low Brow Solution (Score:2, Informative)
Guess again:
$ grep -c eval
22
Re:Low Brow Solution (Score:4, Interesting)
Re:Low Brow Solution (Score:2)
Re:Low Brow Solution (Score:2, Interesting)
Don't forget to change:
Mocha
M0ch4
^^0[h4
etc...
absurd
Re:Low Brow Solution (Score:2)
Re:Low Brow Solution (Score:3, Funny)
Personally, I think he's just a blatherskite. ;)
HTML E-mail Only (Score:5, Informative)
Yahoo works better... (Score:4, Funny)
Re:Yahoo works better... (Score:4, Funny)
Re:Yahoo works better... (Score:2)
like the crackers you probably doesn't not eat too.
No way, dude; it's the 1337 crackers that can bite me.
Yup (Score:2)
Reason for changes... (Score:5, Interesting)
Eval is a commonly used javascript command (duh).
An interesting one. Mocha is the old name for what became Javascript.
Obvious
Breaks most javascript embedded in HTML email.
As above.
Breaks most vbscript embedded in HTML email.
Another old name for Javascript.
However, this seems the most retarded possible way of cutting out scripts in HTML emails.
Better, would be a regexp something like .*? and targetted removal of a few other tags.
Re:Reason for changes... (Score:3, Interesting)
IE4+ allow you to embed JavaScript in CSS statements using the "expression" parameter to evaluate it, and return a value to a CSS class. It's obscure, but the syntax is:
<span style="margin-top: expression(JavaScript code here)">
(Hopefully this doesn't get munged by Slashdot's own filtering code). So it's a potentially serious security breach for anyone considering parsing HTML documents and allowing STYLE="" attributes to persist (most mail clients do), especially because it is not well known amongst most coders. Further info is available from MSDN [microsoft.com] for anyone interested. Seriously, filtering out scripts is a good idea -- anyone else remember when the trolls here managed to insert onMouseOver code into paragraph tags using a Cross-Site Scripting attack [slashcode.com], resulting in many goat-themed redirects?
Anyway, a while ago I used Yahoo Mail as my main account and sent quite a few JavaScripts back and forward related to my website, and noticed "onmouseover" was changed to "onfilterchange" and similar replacements in the body of the mail. This was about 6 months back at least, so it's nothing new. Personally, I think they could probably come up with better filtering methods, but then again stealing a Yahoo! account's details using JS could be a lot more dangerous (finance sections etc) than your average Slashdot trollery -- so perhaps the extra caution is warranted.
Perhaps the original JavaScript designers should have included a META tag to disable all scripting in the current document, so you could include that in all your static CGI documents and not have to worry about the details. It would certainly improve the security of many sites if it was adopted by most browsers even now.
Re:Reason for changes... (Score:2)
<a href="Javascript:eLiTeSkRip7()">
<span onclick="someOtherCode()"></span>
<img src="blah.gih" onload="someScript()"
etc etc etc...
I think removing links to images on user tracking sites might be a good idea too, BTW. I filter most spam, but every so often I inadvertantly open one with one of these "unique tracking ID" type images and Whoops! I've just confirmed my email address works!
Re:Reason for changes... (Score:3, Funny)
Yahoo response (Score:5, Funny)
Verified (Score:3, Informative)
<html>
<body>
m o c h a: mocha <mocha>
free e x p r e s s i o n: free expression <free expression>
m e d i e v a l : medieval <medieval>
</body>
</html>
Result:
m o c h a : espresso, free e x p r e s s i o n : free statement m e d i e v a l : medireview
Probably already fixed (Score:3, Informative)
Oh, and since NTK is slashdotted already, you might want to read the original politech message [politechbot.com] to see what we're talking about.
Re:Probably already fixed (Score:3, Interesting)
would evaluation become reviewuation... probably not. i think they need a special case when there isn't a whitespace character in the front of eval.
hotmail has this problem too, but they just try to stop all of the ways a script could start... the problem though: IE is so fux0ered up that you can sometimes create iframes in malformed tags, and then just run the script in the iframe.
yahoo must have the same problems.
Re:Probably already fixed (Score:2)
I rest my case. [google.com]
Re:Probably already fixed (Score:4, Informative)
Re:Probably already fixed (Score:2, Interesting)
What I sent:
eval => review
mocha => espresso
expression => statement
javascript => java-script
jscript => j-script
vbscript => vb-script
livescript => live-script
And what I got
review => review
espresso => espresso
statement => statement
java-script=> java-script
j-script => j-script
vb-script => vb-script
live-script => live-script
This is not cool. Whats next? *'s when I tell someone to goe F*** themseleves?
Re:Probably already fixed (Score:2)
'News'? Old as the hills mate - April 2001 (Score:2, Informative)
(google for it - I can't be bothered to translate all the lts and gts by hand, so the followig will be munged a bit, this is the explisit mention of medireview from comp.risks 21.34)
Date: Mon, 2 Apr 2001 22:00:13 -0400
From: Kirrily Skud Robert
Subject: More on Yahoo mail's anti-virus attachment translation Further to "Yahoo! Mail translates attachments" in RISKS-21.27, I saw
the following e-mail on a mailing list which discusses medieval cookery: From:
Subject: (OT) "Medireview" ???
Does anyone know why certain Web sites and mail servers change the word
"medieval" to "medireview" without any warning? Have I missed something?
So the 'original' story is only a few days less stale than the NTK one.
Early 2001, come one, get a grip. News should be _new_.
FatPhil
Text of NTK now article (Score:2, Informative)
Nice to see, in the midst of all these scandals, Yahoo turning a healthy profit. But as other companies fiddle the figures, Yahoo's been busy instead with fiddling its own users' private correspondence. In a fantastically clumsy attempt to prevent cross-site scripting attacks, the free e-mail wing of the sprawling giant has long been replacing complete English words in the text of HTML mail sent to its users. Mention "mocha" in an HTML mail to a friend with a @yahoo.com account, and your choice in coffee will be silently switched to "espresso". Talk about "free expression", and your recipient will think you said "free statement". Here's the full list of swaperoos:
http://www.ntk.net/2002/07/12/yahoo.txt
- try not to mail it to your friends
This fiddling has been going on now for over a year year (the ever vigilant RISKS digest noted it back in March 2001). But because of Yahoo's underhand methods, very few people have spotted the turnabout - certainly far fewer than if Yahoo had done the sensible thing and, say, "**"'ed out the vowels in the word, or, God forbid, written a smarter parser. But the sneakier you are, the wider the damage spreads. The word "medieval" (since it contains the javascript command "eval") is converted in Yahoo mail to "medireview". Google now shows over 640 sites (and 1,150 separate instances) of the word "medireview" being used as a synonym for medieval. University papers, bibliographies and book reviews, Indian newspaper columnists, and endless enthusiast sites drop it unseen into texts. People have begun to ask where it originally came from, and does it have a subtler meaning beyond "medieval"? Is Yahoo ever going to fix its filters? Or is it time we pushed to get the first regexp-obfuscated word into the Oxford English Dictionary? http://catless.ncl.ac.uk/Risks/21.34.html - does anyone still at Yahoo even know how to turn it off?
http://www.google.com/search?q=medireview
- NTK now entirely filled with google links
The next hack (Score:2, Funny)
Of course, the next hack will be to produce e-mail that becomes a cross-site scripting attack (or criminal/tortious in some other way) after passing through Yahoo's filter. Who's going to bear the liability for that?
Other amusing mangled words floating around (Score:5, Interesting)
"retrireview" (retrieval): 333 matches at google.
"prreviewent" (prevalent): 41 matches at google.
I'm still confused as to how this has affected so many web sites out there. Are people simply seeing these words in e-mail and then use them on their own thinking it's proper? Or are many webmasters cut and pasting their content from HTML e-mails or something?
Re:Other amusing mangled words floating around (Score:2, Funny)
Re:Other amusing mangled words floating around (Score:2, Interesting)
Re:Other amusing mangled words floating around (Score:4, Interesting)
A search for "Lorm Ipsum" returns 6 results, but suggests "Lorem Ipsum" instead. That brings up "about" 38,100 results.
As I curiously searched for the meaning on this phrase, I stumbled across this explanation here [straightdope.com]. Essentially, it's an adaptation of some classic quote, but, it seems, no longer really makes any sense at all.
Re:Other amusing mangled words floating around (Score:3, Interesting)
Definitely far more than the average person needs to know about it, but way cool if you're into printing trivia.
I'm sorry, but am I confused about the month? (Score:2)
Still, it would be enormously funny if one of the largest E-mail providers would actually do such a thing, as well as the consequences. "Medireview" indeed. Apparently, Yahoo! programmers don't even know about /\beval\b/. It's under "perldoc perlre".
prehaps it another problem. (Score:2, Interesting)
Arrgh (Score:3, Insightful)
Re:Arrgh (Score:2)
Re:Arrgh (Score:2)
I just sent my mom a little response to one of her emails that took 17.9K to say "How are you?". It was produced using an abomination called IncrediMail. un-fucking-beleivable!
Together with the invisible 1X1 goddam bitmaps in every piece of unforgiveable-by-god-even piece of spam in my inbox it's enough to make one go on a rampage.
Why bother with Yahoo! at all anymore? (Score:2)
Instead of being good at anyone thing, it's horrible at all things it does. Want tosearch? Go to Google. Want to see stock quotes? Hit Etrade. Want weather? Go to weather.com. Want nice categories? Hit dmoz.org.
Why anyone continues to care about Yahoo these days is simply beyond me.
It's not such a bad idea! (Score:2, Funny)
They should also correct all of the mail sent by script kiddies, tHoz tHat tYp LiKe Thiz, to something more logical.
it is true ... (Score:2)
Have a mocha, or perhaps medieval is enough for you...
rec'd message:
Have a espresso, or perhaps medireview is enough for you...
It's not just Yahoo (Score:3, Interesting)
"It was the great Barbara Tuchman who pointed out the capital difficulties of writing about the Middle Ages: that medireview chronology is very hard to pin down, that contradictory facts are perpetually turning up in the sources
"The medireview/Renaissance theme must be adhered to at all times to ensure the success of our event." (Renaissance fair rules [staffordshire-events.com]
"Lectures on the Crusades and medireview society." (college course sylabus [ucf.edu]
It makes one long for the Dark Ages.
Bah (Score:4, Funny)
When they're replacing random (or not so random...) words with either 'smurf' or 'fnord,' THEN it's time to worry.
Re:Bah (Score:2)
"eval" != " eval "; (Score:2, Insightful)
Come on Yahoo. When parsing a block of text how hard is it to strip white spaces and evaluate each token individually?
Replacing a key phrase even though it is part of another word seems like an amateur mistake don't ya think.
Re:"eval" != " eval "; (Score:2)
They're already doing too much processing on email, and increasing this will mean increasing hardware and support costs.
technical considerations [add 1984 reference here] (Score:2)
It might distort non-well-formed HTML, but if the HTML isn't well-formed to begin with all bets are off anyway.
I realize that would require quite a few more server resources to implement. Too bad. As it is this ill-thought-out scheme appears to stand a real chance of permanently distorting the English language.
One does wonder if the Chinese government (or any government, really
Another reason to PGP sign your mail.. (Score:5, Informative)
More info in the PGP faq [pgp.net]
Also, for an excellent GPLed implementation of OpenPGP, use GnuPG [gnupg.org].
Why REPLACE the words??? (Score:3, Interesting)
Re:Why REPLACE the words??? (Score:3, Insightful)
A technique used for displaying your email adress without the risk of dumb email harvesters plucking it from your website.
example: the letter 'a' becomes & #97;
basically 'medieval' would become & #109;& #101;& #100;& #105;& #101;& #118;& #97;& #108;
Any browser would display the text like it was intended but no script will run!
Try it at:
http://www.hivelogic.com/safeaddress/
More info on:
http://www.alistapart.com/stories/spam/
If i am wrong, don't blame me, it's my first registered post!
My Favorite (Score:2)
Robert E Lerner [fordham.edu]
He's got medireview all over his own CV!
-Sean
The joys of filtermangling (Score:2)
Under some cirbody fluidstances, it's quite amusing.
Re:The joys of filtermangling (Score:2)
GOOD THING!!! (Score:2)
I'll admit, when I first signed up, it was a pretty good system. Unfortunately many bad changes have been made... pop & smtp are fee-based. Javascript is now required (this really pisses me off!). You can still only send 3 attachments! Their interface is rather lacking... And you are limited to a small number of filters. Now that e-mails are getting screwed-up, it's the last straw for me, and hopefully for many others as well.
The next step... Does anyone know of a free service that provides secure IMAP? I'll sign-up right away.
Re:GOOD THING!!! (Score:2)
I have had the same email address for 7 years. Other addresses I've maintained have come and gone, but this address, I've kept unchanged - and I never once had to send out a mass mailing to all my friends telling them my email address was changing.
Also, I'm a multi-platform kind of guy. I'm always certain that no matter where I am, what machine I'm on, if it's internet connected and has a reasonable browser, I can get my email. Hell, two years ago, when I was on vacation in Tahiti, and I was also waiting for an estimate to come through on some home repairs, I went into an internet cafe, and zing! Got my mail, and by the time I was back home, the repairs were done. I didn't have to have any special software installed, didn't have to remember the mail server's name, or protocol type, or configure where I wanted my messages to be stored, etc. etc. etc.
There's something to be said for browser-based mail. I wouldn't want to do ALL of my email commmunication through it - but I'm sure as hell happy I have it as a personal back up.
multi-platform, anywhere (Score:3, Funny)
+OK InterMail POP3 server ready.
user exampleuser
+OK please send PASS command
pass examplepass
+OK exampleuser is welcome here
list
+OK 1 messages
1 719
.
retr 1
+OK 719 octets
I send you this message in order to have your advice.
.
dele 1
+OK
quit
+OK exampleuser InterMail POP3 server signing off.
Tim
Re:GOOD THING!!! (Score:2)
Re:GOOD THING!!! (Score:2)
Also, there isn't even a version that uses frames anymore.
Re:GOOD THING!!! (Score:2)
Secondly, there are downsides. They explicitly disallow any commerical use. They acknowledge it is an experimental serivce, with a good deal of downtime. Perhaps if I knew it did have secure IMAP I would still have signed-up.
why? (Score:2)
Frankly, the only HTML mail I ever get is spam anyway. They should just not render html period.
Re:why? (Score:2)
Google (Score:2)
Re:Google (Score:2)
Maybe not, but MediReview is a real trademark.
I wonder what they think of all the free advertising they're getting?
other strange words (Score:2)
reviewuation (evaluation)
dreviewuation (devaluation)
dreviewue (devalue)
I just verified it. (Score:5, Informative)
"eval mocha expression javascript jscript vbscript livescript evaluate retrieval link script object embed body iframe layer applet meta form"
This is what arrived in my inbox.
"review espresso statement java-scriptj-script vb-script live-script evaluate retrireview link script object embed body iframe layer applet meta form "
I paid the $30 to get POP3 access for a year, so it isn't just the free(beer) accounts.
It's curious that only some of the words were changed, but not all the ones listed in the article.
Re: OT: I just verified it. (Score:2, Informative)
I paid $35 to get my-domain-name.tld hosted by Yahoo! This included: five addresses @mydomain.tld, Yahoo! advertising on every outgoing mail, and Geocities web space with ads and whatever absurd bandwidth limit a free Geocities site has. Then Yahoo! told me I'd have to pay $30 to continue having POP3 access.
So I transferred my domain to hostica.com, and for $25 bucks got: another year of registration, as many email addresses as I want (albeit forwarded to one POP3 account), 5MB of space, and 10GB/month of bandwidth, with the option to add services from an a la carte pricing menu. And did I mention? No ads!
(I have no financial interest in hostica, I get no referral fee, no consideration of any sort for this post. This ain't no ad, and it's not even that I don't think you could do as well somewhere else. It's more than you can do a lot better than Yahoo, for not much money. It's just a matter of doing the math -- $65/annum for less, or $25/annum for much more -- and preferring better service.)
Changes revert back upon forwarding (Score:2, Informative)
Do I have to change my name to .... (Score:2, Funny)
Stories about automatic correction (Score:2)
"Medireview" has even made it into someone's resume [fordham.edu] (PDF); that must seriously reduce his chances of getting hired. Other references seem to have gotten into scholarly works. This is just the latest in a long string of stories about automatic (or semi-automatic) computer correction having serious consequences.
When I was at college, one student ran his doctoral thesis through the spellchecker one last time before submitting it to the binders, and thence to the Board of Graduate Studies. Unfortunately, he inadvertantly selected the "silently accept all suggestions" option, and failed to check the results. The manuscript he submitted was almost incomprehensible. After that, the University added a one-page warning to the spellchecker output (yes, it was in the days of mainframes).
Unfortunately, it appears that the well-known story [urbanlegends.com] about "in the black" becoming "in the African American" is only partly true; it was a deliberate practical joke in the newsroom.
So does it change... (Score:2)
The message is not changed, just the view of it (Score:5, Informative)
l33t sp33k would be easier (Score:2)
MediReview is a trademark! (Score:4, Interesting)
"MediReview: is our comprehensive, patient-specific drug summary that includes dosing recommendations, drug interaction and allergy alerts, side effects, and pregnancy and lactation warnings. Providers and patients can use MediReview to tailor a patient's medications to their specific medical history--and proactively reduce ADEs."
This is so amusing!
cripes, it even screwed up somebody's PDF resume (Score:2)
This is OLD (Score:2)
Steps to reproduce:
1. Open a Yahoo mail account if you don't have one, and log on to it.
1a. Uncheck the checkboxes on the privacy policy page.
2. Click on "Compose", to compose a message.
3. Look for a link on the "compose" screen that says "Add Color and Graphics", and click on it.
4. Your screen should now have a link (in the same place) that says "Switch to Plain Version". You will also see a pretend MS-Word-type toolbar for bold, italic, background color, etc.
5. Type a one-line email to yourself (meaning send it to your same Yahoo account). Type in something with "medieval" and "expression", e.g.
Her expression was medieval
6. Go back to your inbox, and click on "Check Mail".
7. Read the email. The above sentence becomes
Her statement was medireview
8. Optionally, forward it from there to a real email account. The message will have no body, and it will come with an attachment. Open the attachment, and you will see it back in its original form:
Her expression was medieval
Geneology Problem (Score:2)
What if your name is Chevalier? Check out the 4th link from the Google search for Chreviewier [google.com]. It looks like somebody's geneological search is going to be that much harder.
Server exploit? (Score:2)
Does anyone know of any documented cases of servers being exploited through specially formatted emails? (besides buffer overflows)
Information corruption (Score:4, Funny)
Fucking idiotic.
Not new. (Score:2)
Why do you use HTML for email anyway? (Score:2)
Re:Can someone please explain... (Score:2)
james
Re:Can someone please explain... (Score:2, Informative)
Re:Can someone please explain... (Score:2, Insightful)
Re:Can someone please explain... (Score:2, Informative)
Re:2 sheds? (Score:2)
No, I've only got one. I've had one for some time, but a few years ago I said I was thinking of getting another, and since then some people have called me "Two Sheds"...
More... [uibk.ac.at]
Anyone would have thought you knew that already :-)
Re:*grumble* (Score:2)