Comments on: Hacker's ad for a Yahoo email-stealing exploit, up for sale at $700 http://boingboing.net/2012/11/23/hackers-ad-for-a-yahoo-email.html Brain candy for Happy Mutants Mon, 20 May 2013 14:16:00 +0000 hourly 1 http://wordpress.org/?v=3.4.1 By: Hubert Figuière http://boingboing.net/2012/11/23/hackers-ad-for-a-yahoo-email.html#comment-1591434 Hubert Figuière Mon, 26 Nov 2012 14:40:00 +0000 http://boingboing.net/?p=195807#comment-1591434 Remember, Yahoo! Mail is still not offered over https. Which mean that it is already vulnerable to basic traffic sniffing. Remember, Yahoo! Mail is still not offered over https. Which mean that it is already vulnerable to basic traffic sniffing.

]]> By: R_Young http://boingboing.net/2012/11/23/hackers-ad-for-a-yahoo-email.html#comment-1591218 R_Young Mon, 26 Nov 2012 00:52:00 +0000 http://boingboing.net/?p=195807#comment-1591218 Perhaps you meant "shouldn't". The following question is then "According to who?" or whom.  Whatever. Perhaps you meant “shouldn’t”.

The following question is then “According to who?”
or whom.  Whatever.

]]> By: Boundegar http://boingboing.net/2012/11/23/hackers-ad-for-a-yahoo-email.html#comment-1590745 Boundegar Sat, 24 Nov 2012 16:47:00 +0000 http://boingboing.net/?p=195807#comment-1590745 Is that what they told you in Wired? Is that what they told you in Wired?

]]> By: plyx http://boingboing.net/2012/11/23/hackers-ad-for-a-yahoo-email.html#comment-1590722 plyx Sat, 24 Nov 2012 14:23:00 +0000 http://boingboing.net/?p=195807#comment-1590722 Fuck this guy. Fuck all "hackers". Real h4x0rz don't steal from common folk. Fuck this guy. Fuck all “hackers”. Real h4x0rz don’t steal from common folk.

]]> By: Tankut Erinc http://boingboing.net/2012/11/23/hackers-ad-for-a-yahoo-email.html#comment-1590714 Tankut Erinc Sat, 24 Nov 2012 13:18:00 +0000 http://boingboing.net/?p=195807#comment-1590714 it will be patched up as soon as yahoo puts together $700. oh wait! it will be patched up as soon as yahoo puts together $700.
oh wait!

]]> By: Charlie B http://boingboing.net/2012/11/23/hackers-ad-for-a-yahoo-email.html#comment-1590615 Charlie B Sat, 24 Nov 2012 04:33:00 +0000 http://boingboing.net/?p=195807#comment-1590615 I'm glad this stuff is out in the open.  If our corporate-owned governments had their way, we'd never know about these vulnerabilities. I’m glad this stuff is out in the open.  If our corporate-owned governments had their way, we’d never know about these vulnerabilities.

]]> By: Jake Rennie http://boingboing.net/2012/11/23/hackers-ad-for-a-yahoo-email.html#comment-1590517 Jake Rennie Sat, 24 Nov 2012 00:40:00 +0000 http://boingboing.net/?p=195807#comment-1590517 $700 for one exploit? I'm in the wrong line of work. $700 for one exploit? I’m in the wrong line of work.

]]> By: bklynchris http://boingboing.net/2012/11/23/hackers-ad-for-a-yahoo-email.html#comment-1590505 bklynchris Sat, 24 Nov 2012 00:26:00 +0000 http://boingboing.net/?p=195807#comment-1590505 ..."cause I don't want it to get patched soon!" add dickweed to irony, and what a bizarrely written sentence. …”cause I don’t want it to get patched soon!” add dickweed to irony, and what a bizarrely written sentence.

]]> By: invictus http://boingboing.net/2012/11/23/hackers-ad-for-a-yahoo-email.html#comment-1590490 invictus Sat, 24 Nov 2012 00:02:00 +0000 http://boingboing.net/?p=195807#comment-1590490 You're guessing incorrectly. Stored xss can execute on load, with no input from the user. It all depends on where in served page the script is being injected. See http://en.wikipedia.org/wiki/Cross-site_scripting#Persistent for a brief explanation. You’re guessing incorrectly. Stored xss can execute on load, with no input from the user. It all depends on where in served page the script is being injected.
See http://en.wikipedia.org/wiki/Cross-site_scripting#Persistent for a brief explanation.

]]> By: danimagoo http://boingboing.net/2012/11/23/hackers-ad-for-a-yahoo-email.html#comment-1590482 danimagoo Fri, 23 Nov 2012 23:45:00 +0000 http://boingboing.net/?p=195807#comment-1590482 "Will sell only to trusted people" ... irony much? “Will sell only to trusted people” … irony much?

]]> By: Glippiglop http://boingboing.net/2012/11/23/hackers-ad-for-a-yahoo-email.html#comment-1590471 Glippiglop Fri, 23 Nov 2012 23:23:00 +0000 http://boingboing.net/?p=195807#comment-1590471 Yes.  This is the sort of trick that you would use in a phishing expedition, whereby the attacker might only expect 1% of the 1,000,000 people he emailed to click on the link.  A career criminal could easily turn a profit from the initial investment. It's a good trick to employ as the attacker does not need to forge the login page of the affected site; in fact the browser will likely log the user straight into the account if a cookie is active from a previous session.  This can be observed in the video. Yes.  This is the sort of trick that you would use in a phishing expedition, whereby the attacker might only expect 1% of the 1,000,000 people he emailed to click on the link.  A career criminal could easily turn a profit from the initial investment.

It’s a good trick to employ as the attacker does not need to forge the login page of the affected site; in fact the browser will likely log the user straight into the account if a cookie is active from a previous session.  This can be observed in the video.

]]> By: Buddy Bradley http://boingboing.net/2012/11/23/hackers-ad-for-a-yahoo-email.html#comment-1590439 Buddy Bradley Fri, 23 Nov 2012 22:38:00 +0000 http://boingboing.net/?p=195807#comment-1590439 I'm guessing this only works if the victim is dumb enough to click on a link in a spammy-looking email, right? I’m guessing this only works if the victim is dumb enough to click on a link in a spammy-looking email, right?

]]>