Hacker selling $700 exploit that hijacks Yahoo email accounts

Filed Under: Data loss, Featured, Malware, Security threats, Vulnerability

For sale sign, courtesy of ShutterstockA hacker is selling a $700 zero-day exploit for Yahoo Mail that lets an attacker leverage a cross-site scripting (XSS) vulnerability to steal cookies and hijack accounts.

The hacker, who goes by the handle TheHell, created a video to market the exploit on Darkode, an exclusive underground cybercrime market.

In the video, which security blogger Brian Krebs reproduced and posted to YouTube, TheHell demonstrates how to access a victim's account.

First, an attacker would need to lure a victim into clicking on a maliciously crafted link.

According to the video, once a victim opens that link, a logger records his cookies. The victim is redirected back to the Yahoo email page. The attacker can then redirect the victim's browsing session at will.

The cookies logger replaces the cookies it stole, the video claims, and allows the attacker to log in to the hijacked Yahoo email account.

The hacker's sales pitch promises that the exploit works on all browsers, doesn't require an attacker to bypass IE or Chrome XSS filters, and is a bargain for the price:

"I'm selling Yahoo stored xss that steal Yahoo emails cookies and works on ALL browsers. And you don’t need to bypass IE or Chrome xss filter as it do that itself because it’s stored xss. Prices around for such exploit is $1,100 – $1,500, while I offer it here for $700. Will sell only to trusted people cuz I don't want it to be patched soon!"

Krebs has alerted Yahoo, which told him that it was responding to the vulnerability.

Fixing the security hole will be simple, Yahoo said, but finding it is another matter entirely.

Unfortunately, the video gave precious few hints to help Yahoo figure out the yahoo.com URL that triggers the exploit, Yahoo Director of Security Ramses Martinez told Krebs:

"Fixing it is easy, most XSS are corrected by simple code change. ... Once we figure out the offending URL we can have new code deployed in a few hours at most."

Hopefully, by the time you read this, the flaw will have been fixed.

XSS flaws are widespread, showing up in the Open Web Application Security Project's (OWASP's) list of Top 10 Application Security Risks.

YahooXssed.com, a site that posts reported XSS attacks, has many other examples of XSS flaws that have been found in Yahoo pages.

As OWASP explains, XSS flaws happen when an application takes untrusted data and sends it to a browser without properly validating or encoding it. The flaws enable attackers to execute scripts in victim's browsers, which then hijack user sessions, deface web sites, or redirect a user to malicious sites.

OWASP offers this cheat sheet on how to prevent XSS flaws, as well as other resources on how to review code and test for XSS flaws.

On the user end, as Krebs notes, this is yet another good reminder to tread carefully when it comes to clicking on links in emails we're not expecting or from users we don't know.


For sale sign, courtesy of Shutterstock</sub

, , , , , ,

You might like

2 Responses to Hacker selling $700 exploit that hijacks Yahoo email accounts

  1. MaKyOtOx · 612 days ago

    Maybe it's time for Yahoo to put in place a Bug Bounty Program ?

  2. Matthew Cohen · 601 days ago

    “On the user end, as Krebs notes, this is yet another good reminder to tread carefully when it comes to clicking on links in emails we're not expecting or from users we don't know.”

    Depending on the attack, you might not even have to click on the link.

    Best,

    Matthew Cohen

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.