Hacker's ad for a Yahoo email-stealing exploit, up for sale at $700


12 Responses to “Hacker's ad for a Yahoo email-stealing exploit, up for sale at $700”

  1. I’m guessing this only works if the victim is dumb enough to click on a link in a spammy-looking email, right?

    • Glippiglop says:

      Yes.  This is the sort of trick that you would use in a phishing expedition, whereby the attacker might only expect 1% of the 1,000,000 people he emailed to click on the link.  A career criminal could easily turn a profit from the initial investment.

      It’s a good trick to employ as the attacker does not need to forge the login page of the affected site; in fact the browser will likely log the user straight into the account if a cookie is active from a previous session.  This can be observed in the video.

    • invictus says:

      You’re guessing incorrectly. Stored xss can execute on load, with no input from the user. It all depends on where in served page the script is being injected.
      See http://en.wikipedia.org/wiki/Cross-site_scripting#Persistent for a brief explanation.

  2. danimagoo says:

    “Will sell only to trusted people” … irony much?

  3. Jake Rennie says:

    $700 for one exploit? I’m in the wrong line of work.

  4. Charlie B says:

    I’m glad this stuff is out in the open.  If our corporate-owned governments had their way, we’d never know about these vulnerabilities.

  5. Tankut Erinc says:

    it will be patched up as soon as yahoo puts together $700.
    oh wait!

  6. plyx says:

    Fuck this guy. Fuck all “hackers”. Real h4x0rz don’t steal from common folk.

  7. Remember, Yahoo! Mail is still not offered over https. Which mean that it is already vulnerable to basic traffic sniffing.

Leave a Reply