Industry News

XSS Exploit that steals Yahoo Mail Cookies Sold for $700

If you’re planning to hack all your friends in the Yahoo! Messenger list, a zero-day XSS exploit is the way to go. At least, this is what cyber-criminal that goes by the handle “TheHell” would recommend if you have $700 to spend.  According to the advertisement on an underground, cyber-crime focused forum, the Egyptian hacker has found a zero-day XSS exploit within the Yahoo infrastructure.

“I’m selling Yahoo stored xss that steal Yahoo emails cookies and works on ALL browsers,” wrote ‘TheHell,’ as quoted by tech journalist Brian Krebs. “And you don’t need to bypass IE or Chrome xss filter as it do that itself because it’s stored xss. Prices around for such exploit is $1,100 – $1,500, while I offer it here for $700. Will sell only to trusted people cuz I don’t want it to be patched soon!”

In laymen’s terms, XSS (Cross Site Scripting) attacks are divided in two categories: stored and reflected attacks. Stored attacks allow the exploiter to save malicious code in the database of the target website, either as a comment, a search query or any other method of adding content. Whenever that specific page is loaded, the malicious script executes. Reflected attacks are delivered with the link to the vulnerable service, which reflects the attack back to the browser. These are harder to accomplish in modern browsers as many of them have XSS protection.

One of the most important security concepts with websites is the Same Origin Policy. It allows scripts running on pages to freely access each other’s data as long as they have the same origin (i.e. they have been loaded by the same page), but prevents other scripts from accessing the data if they have been loaded by another site. For instance, a vote script running on website Y can check if the user is logged into the account on website Y to prevent voting for unregistered users. However, a script running on website Z will not be allowed to check if the user is logged on website Y, because they have different origins. Stored XSS attacks inject malicious scripts in specific pages, so the malicious script has the same origin as the targeted website.

This way, the advertised exploit manages to access cookies set by Yahoo and send them to the attacker. Once the attacker has the cookies and the username, they can successfully access the respective account by tricking the browser into thinking that authentication had already been done and the victim account is logged in. This is actually how the “remember me” function works.

Now, don’t believe that the exploit will be used by the buyer just to play a couple of innocent pranks on YIM contacts. Most of the times, the email accounts are valuable resources to spammers, who can send their advertisements from a legit email account until it gets blacklisted or suspended. Free mail accounts are in high demand these days because antispam vendors can’t block the entire domain, since also has millions of other legit e-mail addresses. More than that, cyber-crooks can’t automate the registration of e-mail addresses because of different challenges (CAPTCHA and automated account generation detection run by Yahoo). So stealing them in an automated way would work best.

Secondly, it could also be used for highly targeted data theft. Two years ago, Chinese and Taiwanese military officials were spear-phished by criminals to disclose their Gmail passwords, so they can rummage through whatever classified information they might have stored in the inbox. If it worked for Gmail, it could also work for Yahoo.

Bottom line, don’t click anything you don’t fully trust, especially when a zero-day exploit is in the wild for the service you’re using. Look for an antispam solution to block unwanted messages before you get them and, if possible, add a second e-mail account and a phone number to receive alerts when your password gets changed or when other modifications to your account are made.

About the author


Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.