Sophos Cloud Optix
A hacker is selling a $700 zero-day exploit for Yahoo Mail that lets an attacker leverage a cross-site scripting (XSS) vulnerability to steal cookies and hijack accounts.
The hacker, who goes by the handle TheHell, created a video to market the exploit on Darkode, an exclusive underground cybercrime market.
In the video, which security blogger Brian Krebs reproduced and posted to YouTube, TheHell demonstrates how to access a victim’s account.
First, an attacker would need to lure a victim into clicking on a maliciously crafted link.
According to the video, once a victim opens that link, a logger records his cookies. The victim is redirected back to the Yahoo email page. The attacker can then redirect the victim’s browsing session at will.
The cookies logger replaces the cookies it stole, the video claims, and allows the attacker to log in to the hijacked Yahoo email account.
The hacker’s sales pitch promises that the exploit works on all browsers, doesn’t require an attacker to bypass IE or Chrome XSS filters, and is a bargain for the price:
"I'm selling Yahoo stored xss that steal Yahoo emails cookies and works on ALL browsers. And you don’t need to bypass IE or Chrome xss filter as it do that itself because it’s stored xss. Prices around for such exploit is $1,100 – $1,500, while I offer it here for $700. Will sell only to trusted people cuz I don't want it to be patched soon!"
Krebs has alerted Yahoo, which told him that it was responding to the vulnerability.
Fixing the security hole will be simple, Yahoo said, but finding it is another matter entirely.
Unfortunately, the video gave precious few hints to help Yahoo figure out the yahoo.com URL that triggers the exploit, Yahoo Director of Security Ramses Martinez told Krebs:
"Fixing it is easy, most XSS are corrected by simple code change. ... Once we figure out the offending URL we can have new code deployed in a few hours at most."
Hopefully, by the time you read this, the flaw will have been fixed.
XSS flaws are widespread, showing up in the Open Web Application Security Project’s (OWASP’s) list of Top 10 Application Security Risks.
Xssed.com, a site that posts reported XSS attacks, has many other examples of XSS flaws that have been found in Yahoo pages.
As OWASP explains, XSS flaws happen when an application takes untrusted data and sends it to a browser without properly validating or encoding it. The flaws enable attackers to execute scripts in victim’s browsers, which then hijack user sessions, deface web sites, or redirect a user to malicious sites.
OWASP offers this cheat sheet on how to prevent XSS flaws, as well as other resources on how to review code and test for XSS flaws.
On the user end, as Krebs notes, this is yet another good reminder to tread carefully when it comes to clicking on links in emails we’re not expecting or from users we don’t know.
For sale sign, courtesy of Shutterstock</sub
Maybe it's time for Yahoo to put in place a Bug Bounty Program ?
“On the user end, as Krebs notes, this is yet another good reminder to tread carefully when it comes to clicking on links in emails we're not expecting or from users we don't know.”
Depending on the attack, you might not even have to click on the link.
Best,
Matthew Cohen