Yahoo Ends ImageMagick Library After Exploit Discovered
It should come as no surprise that Yahoo has experienced a few problems over the past few years. The company has been dealt several setbacks, even after sealing a deal to sell itself to Verizon. Many of the problems Yahoo has experienced can be directly related to hacking and hackers. Just recently, the company has confirmed it will no longer use the ImageMagick library, after it was discovered that the system could easily leak private email details. What was ImageMacick and how will the change impact users? You’ll find out below.
For a long time, Yahoo Mail relied on the ImageMagick script to deal with images uploaded by users. This script gave Yahoo the ability to edit and convert images directly through the email platform. It also offered a wealth of other features, such as adding special effects, gradients and even imagine identification. Just last week, searcher expert and researcher, Chris Evans, dove deeper into the software. He discovered a security flaw and immediately made it available to the public.
Evans Details The Vulnerability
As Evans explained on his blog, the YB1 vulnerability made it possible for users to obtain image attachments from other people’s private Yahoo! Mail account. The vulnerability was directly linked to a flaw found within ImageMagick’s image processing software. Yahoo! Isn’t the only company that relies on the software. Many other online services do as well. The Yahoo bleed vulnerability worked in a similar manner as Heartbleed and Cloudbleed. The Yahoobleed vulnerability used uninitialized memory to cause the server to leak server-side memory to the hacker.
Yahoo Rectifies The Problem
Once Yahoo became aware of the problem, they immediately took steps to fix it. Initially, Yahoo did not implement any type of whitelisting and this left the door open for malicious files to enter. Once Evans submitted the tip to Yahoo, the email provider immediately retired the open-source software. The company insisted it was better to do away with it all together than to put other users at risk. ImageMagick has also taken steps to fix the vulnerability in their software.
And of course, Evans has been rewarded for his efforts. Not only did he receive recognition for his find, but he was also awarded a bounty of $14,000. Once Evans announced he would be donating his money to charity, Yahoo! Stepped in and doubled the bounty total to $28,000. Yahoo Users will likely not experience any noticeable changes, but they’ll be able to sleep a little better at night knowing Yahoo and Evans have solved the problem.