The exploit allows purveyors to hijack Yahoo! email accounts, redirecting legitimate users to malicious websites when they try to log on. The vulnerability and related entrepreneurial enterprise was uncovered by security researcher Brian Krebs, who explained that the vulnerability targets a cross-site scripting (XSS) weakness that allows attackers to steal cookies for the webmail site.
“Such a flaw would let attackers send or read email from the victim’s account,” Krebs said in a blog post. “In a typical XSS attack, an attacker sends a malicious link to an unsuspecting user; if the user clicks the link, the script is executed, and can access cookies, session tokens or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.”
An Egyptian hacker posted the exploit and a video demonstrating how it works in the Darkode cybercrime forum, along with an ebullient note, according to Krebs: “I’m selling Yahoo stored xss that steal Yahoo emails cookies and works on ALL browsers,” said the hacker, who goes by the handle TheHell. “And you don’t need to bypass IE or Chrome xss filter as it do that itself because it’s stored xss. Prices around for such exploit is $1,100 – $1,500, while I offer it here for $700. Will sell only to trusted people cuz I don’t want it to be patched soon!”
Yahoo! told Krebs that it was working on a fix.
“Yahoo’s director of security commented that fixing the XSS is the easy part, the challenge first is working out the exact yahoo.com URL that triggers the exploit and he is absolutely right,” commented Amichai Shulman, co-founder and CTO at Imperva, in an email to Infosecurity. “Mitigating XSS is not hard. The problem is that you have a gazillion URLs and parameters that might be vulnerable.”
XSS exploits and vulnerabilities cropped up on an almost epidemic basis earlier this year. Shulman added that the rise in XSS vulnerabilities in 2012 shows that companies need to change their tactics. “The main issue here is not Yahoo! specific but rather regarding such vulnerabilities as XSS,” he said. “Organizations should realize that we are living in a new era where the combination of good coding practices and network security is no longer good enough. Threats and attacks in this time and age require the use of application and data security and in run time, and particularly the use of web application firewalls.”
Krebs noted that XSS attacks are simple but highly effective, so web denizens should be vigilant. “As powerful as XSS attacks can be, they are unfortunately also extremely common,” he noted. “These types of vulnerabilities are a good reminder to be especially cautious about clicking links in emails from strangers or in messages that you were not expecting.”