hostmonster-Host Unlimited Domains on 1 Account   coolhandle offering reliable webhosting since 2001
Unlimited Hosting Space - FREE Site Builder   Smart Website Solutions for Your Small Business=

Hacker Selling Yahoo Mail Exploit for $700

Yahoo campus signA hacker has begun selling what is claim to be a zero-day exploit that will let criminals hijack control of Yahoo Mail users’ accounts.

The hacker, who goes by the moniker TheHell, posted a video marketing a $700 exploit kit on the secretive Darkode cybercrime market today. The video was later spotted and reposted onto YouTube by security blogger Brian Krebs.

“I’m selling Yahoo stored xss that steal Yahoo emails cookies and works on ALL browsers. And you don’t need to bypass IE or Chrome xss filter as it do that itself because it’s stored xss,” TheHell proclaimed in his marketing video. “Prices around for such exploit is $1,100 – $1,500, while I offer it here for $700. Will sell only to trusted people cuz I don’t want it to be patched soon”

The exploit infects users machines via a malicious email link and reportedly targets a cross-site scripting (XSS) weakness in

TheHell claimed that when clicked the malicious link exploits a cross-site scripting bug that lets criminals steal Yahoo Mail cookies. The cookies can then reportedly be used to log into and steal control of any compromised Yahoo mail account.

Krebs has reportedly informed Yahoo of the vulnerability. It is unclear whether the exploit will work, though numerous security vendors, including Trend Micro security director Rik Ferguson, have indicated TheHell’s claims could be legitimate.

“We discovered something very similar in Hotmail not too long ago,” Ferguson said. “How serious could it be? Well considering how interlinked our online services are, and how the email account is often at the heart of our web of existence it’s like handing over the keys to your online identity.”

F-Secure security researcher Sean Sullivan added that if legitimate, the exploit could prove the next hot item on the online black market.

“It certainly isn’t a good thing that an active session cookie can be stolen or hijacked. But then, that’s why I typically log off and purge my browser’s cache at the end of the day,” Sullivan said. “Also, it’s why I ‘browse’ with one browser (system default) and ‘logon’ with another. I can see this type of attack being very useful for a select audience.”

This article was originally published on V3.

SES New York

Where is Digital Marketing Heading in 2013? Find Out at SES New York.

The brightest and most insightful marketing minds in the industry will be gathering at SES New York, March 25-28. SAVE up to $1000 on an All Access Pass now through December 13. Register today!

Article source:


Submit a Review

If you want a picture to show with your review, go get a Gravatar.

1&1 has shared hosting and dedicated hosting solutions for every budget and free domains with all hosting packages!  StartLogic - Affordable hosting: Free setup/domain, unlimited emails, PHP, mySQL, CGI, FrontPage. As low as $3.95/month
Cloud ecommerce platform delivers more traffic, higher conversion and unmatched performance

© Copyright 2008 Tyconia International, Inc. All Rights Reserved.