October 26, 2014

Egyptian hacker selling Yahoo! Mail exploit for $700

(LiveHacking.Com) – An Egyptian hacker is selling a zero-day exploit for Yahoo! Mail that lets an attacker hijack email accounts. The hacker is offering the exploit for $700 on a hacking related black market website. The exploit uses a  cross-site scripting  (XSS) vulnerability in yahoo.com that allows an attacker to steal cookies. Once the cookie has been stolen the attacker can send or read email from the victim’s account.

The hacker created a video for potential buyers on the Darkode cybercrime forum. In the video a method for accessing the victim’s account is demonstrated. For the exploit to work the attacker must trick the user into clicking on a specially-crafted link. Brain Krebs has got hold of the video and posted it to YouTube.

As part of the sales pitch the hacker wrote, “I’m selling Yahoo stored xss that steal Yahoo emails cookies and works on ALL browsers. And you don’t need to bypass IE or Chrome xss filter as it do that itself because it’s stored xss. Prices around for such exploit is $1,100 – $1,500, while I offer it here for $700. Will sell only to trusted people cuz I don’t want it to be patched soon!” Notice how his uses his entrepreneurial skills to drop the price to just $700.

Brain Krebs has informed Yahoo! of the problem. According to Ramses Martinez, director of security at Yahoo!, the problem for the engineers is to work out exactly which URL is susceptible as it isn’t clear from the video. Once found it should be easy enough to fix.

XSS attacks are unfortunately all too common. The site Xssed.com hosts an archive of reported XSS vulnerabilities  including several examples of other XSS flaws in yahoo.com CSS attacks work by getting an unsuspecting user to click on a  malicious link. Once clicked a script is executed, and can access cookies, session tokens or other sensitive information stored by the victim’s browser. This information can then be stolen by the attacker.

Yahoo! Mail Reinforces Javascript Filters to Defend Against Cross-site Scripting Attacks

(LiveHacking.Com) – Researchers at Trend Micro discovered a potential vulnerability in Yahoo! Mail. They discovered emails sent to Yahoo! addresses that contained JavaScript in the From: field that attempted to launch a Document Object Model (DOM)-based cross-site scripting attack. Although the Trend Micro researchers were unable to replicate the attack they contacted Yahoo! who in response have strengthened their filters that sanitize user emails in order to protect against these kinds of Javascript attacks.

Such types of attacks are not uncommon and in the past successful webmail attacks have targeted  accounts owned by journalists and political activists. Normally when an account is compromised the victim is unaware, which is exactly what the attackers want as they can steal the messages and launch further attacks against the victim’s contacts, all without detection.

Webmail is but one example of a cloud based service which is potentuially vulnerable to outside attack. As the use of cloud based services (including free webmail, free cloud storage space and social networking) increases so does its attraction to attackers.