A hacker is capitalizing on a Yahoo! flaw that could allow email accounts to become compromised and could trick users into clicking on malicious websites. But criminal hackers will have to pay to obtain details about how to conduct this hack. The cost: $700.
Brian Krebs on his blog Krebs on Security reported last week that an Egyptian hacker was offering this deal on an "exclusive cybercrime forum" called Darkode. The hack itself steals cookies, which Krebs explains leads hackers into their target's account where they can send or read emails. Here's how the hacker going by "The Hell" advertised his exploit, according to Krebs:
“I’m selling Yahoo stored xss that steal Yahoo emails cookies and works on ALL browsers. And you don’t need to bypass IE or Chrome xss filter as it do that itself because it’s stored xss. Prices around for such exploit is $1,100 – $1,500, while I offer it here for $700. Will sell only to trusted people cuz I don’t want it to be patched soon!”
Screenshot from the hacker's video demo of the exploit. (Image: YouTube screenshot)
Krebs explains more about how the hack works:
In a typical XSS attack, an attacker sends a malicious link to an unsuspecting user; if the user clicks the link, the script is executed, and can access cookies, session tokens or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.
"The Hell" also posted a video to show how it works, which Krebs reproduced and posted on YouTube:
Krebs writes that he contacted Yahoo! to alert them of the problem and was told the vulnerability will be relatively easy to fix.
“Fixing it is easy, most XSS are corrected by simple code change,” Ramses Martinez, director of Yahoo! security, said to Krebs. “Once we figure out the offending URL we can have new code deployed in a few hours at most.”
Until that URL is identified, Krebs noted that the vulnerability serves to remind users to be careful when clicking on links from strangers or that are in odd messages.
Read more details about the exploit in Krebs post here.