Krebs on Security's Brian Krebs reports that a zero-day exploit providing access to Yahoo webmail accounts is being sold by an Egyptian hacker for $700.
"The exploit ... targets a 'cross-site scripting' (XSS) weakness in yahoo.com that lets attackers steal cookies from Yahoo! Webmail users," Krebs writes. "Such a flaw would let attackers send or read email from the victim’s account. In a typical XSS attack, an attacker sends a malicious link to an unsuspecting user; if the user clicks the link, the script is executed, and can access cookies, session tokens or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page."
"The attacker, who goes by the handle TheHell, posted a demo video. ... Victims are sent an email to their Yahoo account and that attacker tries to trick them into clicking on a malicious link, according to TheHell’s video," writes Threatpost's Michael Mimoso. "Once on the site, the attack logs the victim’s cookies and redirects them back to their Yahoo email page. From there, the attacker owns the victims account and can read or send messages."
"Yahoo! is investigating the alleged vulnerability, following a tip-off from Krebs," writes The Register's John Leyden. "The video advertising the exploit fails to explain which vulnerable URL would trigger the attack, something that's proving a little hard to pin down. Yahoo!'s director of security, Ramses Martinez, told Krebs: 'Fixing it is easy, most XSS are corrected by simple code change. ... Once we figure out the offending URL we can have new code deployed in a few hours at most.'"
"Krebs pointed out that if Yahoo paid hackers to report bugs to the company, it might have been worth TheHell's while to turn it in rather than selling it to criminals," writes TechNewsDaily's Ben Weitzenkorn. "If the vulnerability had been Google's, for example, Google would have purchased it for $1,337."