Hacker News new | past | comments | ask | show | jobs | submit login
FastMail.FM Security Vulnerabilities (grepular.com)
53 points by mike-cardwell on June 22, 2012 | hide | past | favorite | 17 comments 



  I disclosed them responsibly and they were fixed before I published this blog post.
As a Fastmail.fm user, thanks for your work in improving the service by notifying the team of these vulnerabilities.


Does anyone else find it rather insane that SVG allows bundling code? "Active" documents like PDF and Office have demonstrated the problems associated. Why does a vector graphic format need scripts?


When you consider SVG can be seen as an potential alternative to Flash for some projects, it is not hard to understand why manipulation through scripting is a desired feature.


So instead of creating a vector format that can be safely used and manipulated from a containing environment (like any other "dumb" image format), they wanted to go make a whole new rich document system? Sigh.


IMO it is a browser bug to let SVG JS interact with anything outside the image canvas sandbox, without explicit user opt in.


Would serving attachment previews from a separate domain, like fastmail-usercontent.fm, help?


Using a separate domain to display the attachments is a good idea. Gmail does it. It is mentioned towards the end of the blog post. However, that still doesn't get rid of the vulnerability, it just makes it less dangerous.

There should be a strict whitelist of allowed content types, and anything not on that list should be download only. The trouble is, people tend to put "image/*" on that list, because they don't know what an SVG is or what it can do.


Nice work, and (as another fastmail.fm user) thank you for the responsible disclosure. May it amply repay you in consulting gigs :)

Regarding the script injection from image file names, there is a simple solution to this problem: separate the data types of strings and document structure. For example:

http://www.gnu.org/software/guile/manual/html_node/Types-and...


I noticed my e-mail provider also gave me the JS popup when i clicked the SVG attachment. They are using Horde. Possible horde security flaw?


If the JavaScript executed, it's a "probable" critical security flaw, rather than a "possible" one. Are they using the latest version? Would you be able to submit a bug report to your provider and/or the Horde project?

[edit] I have alerted security@horde.org


I've sent them an e-mail. I will let you know when i know more :)


Thanks. I am currently discussing the problem with Jan Schneider (the core developer and a founding member of Horde LLC) in the #horde IRC channel on Freenode.

[edit] They've confirmed the bug and intend to fix it by making "image/svg+xml" attachments download only. This is the same fix that FastMail used. Of course, everyone will need to upgrade when this has been done.


My e-mail provider has fixed this by displaying the attachment as plain text. I guess until they update to the newest horde where it has been fixed.


That's an impressively fast fix for an e-mail provider. Are you able to disclose who you are using?


I agree, i was also impressed. It's a Dutch provider, dds.nl


Egads, <webmail software redacted> is also vulnerable (or at least the version deployed by my former employer).

Thank you for the detection tool!

Edit: redacted vendor.


Thanks for the report. I have just sent a bug report to their security address about this.

It would probably be better if people submitted these bugs directly to the vendor rather than making them immediately public. If you don't know how to do this, or how to describe the bug, you can let me know and I will do it on your behalf. My contact details are in my HN profile




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: