November 23, 2014

Egyptian hacker selling Yahoo! Mail exploit for $700

(LiveHacking.Com) – An Egyptian hacker is selling a zero-day exploit for Yahoo! Mail that lets an attacker hijack email accounts. The hacker is offering the exploit for $700 on a hacking related black market website. The exploit uses a  cross-site scripting  (XSS) vulnerability in yahoo.com that allows an attacker to steal cookies. Once the cookie has been stolen the attacker can send or read email from the victim’s account.

The hacker created a video for potential buyers on the Darkode cybercrime forum. In the video a method for accessing the victim’s account is demonstrated. For the exploit to work the attacker must trick the user into clicking on a specially-crafted link. Brain Krebs has got hold of the video and posted it to YouTube.

As part of the sales pitch the hacker wrote, “I’m selling Yahoo stored xss that steal Yahoo emails cookies and works on ALL browsers. And you don’t need to bypass IE or Chrome xss filter as it do that itself because it’s stored xss. Prices around for such exploit is $1,100 – $1,500, while I offer it here for $700. Will sell only to trusted people cuz I don’t want it to be patched soon!” Notice how his uses his entrepreneurial skills to drop the price to just $700.

Brain Krebs has informed Yahoo! of the problem. According to Ramses Martinez, director of security at Yahoo!, the problem for the engineers is to work out exactly which URL is susceptible as it isn’t clear from the video. Once found it should be easy enough to fix.

XSS attacks are unfortunately all too common. The site Xssed.com hosts an archive of reported XSS vulnerabilities  including several examples of other XSS flaws in yahoo.com CSS attacks work by getting an unsuspecting user to click on a  malicious link. Once clicked a script is executed, and can access cookies, session tokens or other sensitive information stored by the victim’s browser. This information can then be stolen by the attacker.

20 Percent of Fortune 100 Companies Were Hit by the RSA Attackers

(LiveHacking.Com) – Brian Krebs, who was until just a couple of years ago a reported for The Washington Post, has revealed that over 760 other companies have been hit by the same attackers which targeted RSA earlier this year.

In his blog post, Brian says that “more than 760 other organizations had networks that were compromised with some of the same resources used to hit RSA. Almost 20 percent of the current Fortune 100 companies are on this list.”

Brian does, however, give some caveats:

  1. Many of the network owners listed are Internet service providers, and are likely included because some of their subscribers were hit.
  2. It is not clear how many systems in each of these companies or networks were compromised.
  3. Some of these organizations (there are several antivirus firms mentioned  below) may be represented because they  intentionally compromised internal systems in an effort to reverse engineer malware used in these attacks.
The most interesting name on the list include:
  • The Alabama Supercomputer Network
  • Cisco Systems
  • eBay
  • The European Space Agency
  • Facebook,
  • Google
  • IBM
  • Intel Corp
  • the Internal Revenue Service (IRS)
  • MIT
  • Motorola Inc.
  • Northrop Grumman
  • Novell
  • PriceWaterhouseCoopers
  • Research in Motion (RIM) Ltd.
  • Seagate Technology
  • VMWare