A hacker is selling a $700 zero-day exploit for Yahoo Mail that lets an attacker use a cross-site scripting (XSS) vulnerability to steal cookies and hijack accounts.
The hacker, known as “TheHell”, created a video to market the exploit on an underground cyber crime market called Darkode.
According to the video, attackers would have to lure a victim into clicking a malicious link to launch the exploit code that records the user’s cookies or small files containing user details, session tokens or other sensitive information retained by the browser and used with that site.
The cookies logger replaces the cookies it stole, the video claims, and allows the attacker to log in to the hijacked Yahoo email account, according to the Naked Security blog of security firm Sophos.
The hacker claims that the exploit works on all browsers and does not require an attacker to bypass IE or Chrome XSS filters, adding: “Will sell only to trusted people cuz I don't want it to be patched soon!"
Read more about XSS:
- XSS attacks remain top threat to web applications
- A new framework for preventing XSS attacks
- XSS cheat sheet: How to prevent XSS attacks and detect exploits
- Adobe patches Flash to fix zero-day XSS vulnerability
- Little being done to prevent Web application threats, analysts say
- Cross-site scripting explained: How to prevent XSS attacks
Security researcher Brian Krebs alerted Yahoo to the vulnerability, and the company said it was responding to the issue.
Ramses Martinez, director of security at Yahoo told Krebs the challenge now is working out the exact yahoo.com URL that triggers the exploit, which is difficult to discern from watching the video.
“Fixing it is easy, most XSS are corrected by simple code change,” Martinez said. “Once we figure out the offending URL we can have new code deployed in a few hours at most.”
TheHell said his exploit attacks a stored XSS vulnerability, in which the injected code is permanently stored on the target servers, such as in a database, message forum, visitor log or comment field.
The victim’s browser then retrieves the malicious script from the server when it requests the stored information, said Krebs.