Yahoo Stored Cross Site Scripting (XSS) Vulnerability

A hacker has begun selling what is claim to be a zero-day exploit that will let criminals hijack control of Yahoo Mail users' accounts.

A cross-site scripting (XSS) flaw on Yahoo! Mail creates a means to steal cookies and hijack accounts, according to a hacker who is offering to sell an alleged zero-day vulnerability exploit for $700.
The cybercrook, who uses the online nickname TheHell, knocked up a video to market the exploit which he is attempting to sell through Darkode, an underground cybercrime bazaar. The clip was captured and reposted on YouTube by security blogger Brian Krebs.

The video explains that the attack works by tricking a victim into clicking on a maliciously crafted link. This link supposedly exploits a cross-site scripting bug to steal the victim's Yahoo! mail cookies, which a cybercrook can later use to log into and hijack compromised Yahoo! webmail accounts.
Krebs has reportedly informed Yahoo of the vulnerability. It is unclear whether the exploit will work, though numerous security vendors, including Trend Micro security director Rik Ferguson, have indicated TheHell's claims could be legitimate.
"We discovered something very similar in Hotmail not too long ago," Ferguson said. "How serious could it be? Well considering how interlinked our online services are, and how the email account is often at the heart of our web of existence it's like handing over the keys to your online identity."

Yahoo! is investigating the alleged vulnerability, following a tip-off from Krebs. The video advertising the exploit fails to explain which vulnerable URL would trigger the attack, something that's proving a little hard to pin down.

F-Secure security researcher Sean Sullivan added that if legitimate, the exploit could prove the next hot item on the online black market.

No comments:

Post a Comment