Posts Tagged ‘Yahoo’

Yahoo! email zero-day exploit being sold for $700

Tuesday, November 27th, 2012

In an unusually candid look at the underground operations of black market exploit selling, there is one user who has been caught selling a major exploit for Yahoo! email accounts for $700 to all interested parties. So far, Yahoo! has not been able to nail down exactly what is causing the vulnerability.

In other words, these transactions have been exposed and are taking place right out in the open, and yet the practice is still ongoing. The user, who goes by the online handle TheHell, gloats the capabilities of his hack saying that it is a “stored XSS” (cross-site scripting) flaw. This means that once a user clicks on a malicious link in an email, the code is injected and permanently stored in the email client’s server and there is very little they can do to reverse its effects. It is also something only Yahoo! can fix internally.

In an interview with KrebsonSecurity, Yahoo! director of security Ramses Martinez said that the issue is now known and his team is working to fix it, but it is very difficult to nail down exactly where it came from and what the best course of action is.

These exploits are not as rare as you might expect, although it is uncommon for them to be exposed as openly as this one is without any immediate fix or patch. TheHell is based in Egypt, which means it would be very difficult to take any sort of legal action that would put at least a temporary end to his behavior.

Krebs also mocked up a video to make it look similar to the one TheHell is using to entice customers. Check it out below, and in the meantime, always remember to be wary of clicking any links inside an email that appear unusual or are from people you do not know.