Features Podcasts Family Video Comics Music Tech Science Books Film & TV Games ✚

Jill

Hacker's ad for a Yahoo email-stealing exploit, up for sale at $700

Cory Doctorow at 2:17 pm Fri, Nov 23, 2012

— FEATURED —

Book Review

The Man Who Laughs: grotesque Victor Hugo potboiler was the basis for The Joker

Feature

Eurovision 2013: An American in London

Book Review

The Twelve-Fingered Boy - mesmerizing YA horror novel

— FOLLOW US —

Boing Boing is on Twitter and Facebook. Subscribe to our RSS feed or daily email.

 

— POLICIES —

Except where indicated, Boing Boing is licensed under a Creative Commons License permitting non-commercial sharing with attribution

 

— FONTS —

Tweet
Kindle

Brian Krebs has located and published a sales pitch from a hacker who has found a zero-day exploit allowing him to steal cookies from Yahoo webmail users, granting access to their accounts.

“I’m selling Yahoo stored xss that steal Yahoo emails cookies and works on ALL browsers,” wrote the vendor of this exploit, using the hacker handle ‘TheHell.’ “And you don’t need to bypass IE or Chrome xss filter as it do that itself because it’s stored xss. Prices around for such exploit is $1,100 – $1,500, while I offer it here for $700. Will sell only to trusted people cuz I don’t want it to be patched soon!”

Yahoo Email-Stealing Exploit Fetches $700

I write books. My latest is a YA science fiction novel called Homeland (it's the sequel to Little Brother). More books: Rapture of the Nerds (a novel, with Charlie Stross); With a Little Help (short stories); and The Great Big Beautiful Tomorrow (novella and nonfic). I speak all over the place and I tweet and tumble, too.

MORE:  Business • security • videos • yahoo • youtube

More at Boing Boing

Eurovision 2013: An American in London

The technology that links taxonomy and Star Trek

  • http://www.peterbagge.com/ Buddy Bradley

    I’m guessing this only works if the victim is dumb enough to click on a link in a spammy-looking email, right?

    • Glippiglop

      Yes.  This is the sort of trick that you would use in a phishing expedition, whereby the attacker might only expect 1% of the 1,000,000 people he emailed to click on the link.  A career criminal could easily turn a profit from the initial investment.

      It’s a good trick to employ as the attacker does not need to forge the login page of the affected site; in fact the browser will likely log the user straight into the account if a cookie is active from a previous session.  This can be observed in the video.

    • invictus

      You’re guessing incorrectly. Stored xss can execute on load, with no input from the user. It all depends on where in served page the script is being injected.
      See http://en.wikipedia.org/wiki/Cross-site_scripting#Persistent for a brief explanation.

  • danimagoo

    “Will sell only to trusted people” … irony much?

    • bklynchris

      …”cause I don’t want it to get patched soon!” add dickweed to irony, and what a bizarrely written sentence.

  • http://www.facebook.com/jrrennie Jake Rennie

    $700 for one exploit? I’m in the wrong line of work.

  • Charlie B

    I’m glad this stuff is out in the open.  If our corporate-owned governments had their way, we’d never know about these vulnerabilities.

  • Tankut Erinc

    it will be patched up as soon as yahoo puts together $700.
    oh wait!

  • plyx

    Fuck this guy. Fuck all “hackers”. Real h4x0rz don’t steal from common folk.

    • Boundegar

      Is that what they told you in Wired?

    • http://tryingsense.blogspot.com/ R_Young

      Perhaps you meant “shouldn’t”.

      The following question is then “According to who?”
      or whom.  Whatever.

  • http://www.figuiere.net/hub/ Hubert Figuière

    Remember, Yahoo! Mail is still not offered over https. Which mean that it is already vulnerable to basic traffic sniffing.