November 23, 2012

A zero-day vulnerability in yahoo.com that lets attackers hijack Yahoo! email accounts and redirect users to malicious Web sites offers a fascinating glimpse into the underground market for large-scale exploits.

The exploit, being sold for $700 by an Egyptian hacker on an exclusive cybercrime forum, targets a “cross-site scripting” (XSS) weakness in yahoo.com that lets attackers steal cookies from Yahoo! Webmail users. Such a flaw would let attackers send or read email from the victim’s account. In a typical XSS attack, an attacker sends a malicious link to an unsuspecting user; if the user clicks the link, the script is executed, and can access cookies, session tokens or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.

The hacker posted the following video to demonstrate the exploit for potential buyers. I’ve reproduced it and published it to youtube.

“I’m selling Yahoo stored xss that steal Yahoo emails cookies and works on ALL browsers,” wrote the vendor of this exploit, using the hacker handle ‘TheHell.’ “And you don’t need to bypass IE or Chrome xss filter as it do that itself because it’s stored xss. Prices around for such exploit is $1,100 – $1,500, while I offer it here for $700. Will sell only to trusted people cuz I don’t want it to be patched soon!”

KrebsOnSecurity.com alerted Yahoo! to the vulnerability, and the company says it is responding to the issue. Ramses Martinez, director of security at Yahoo!, said the challenge now is working out the exact yahoo.com URL that triggers the exploit, which is difficult to discern from watching the video.

“Fixing it is easy, most XSS are corrected by simple code change,” Martinez said. “Once we figure out the offending URL we can have new code deployed in a few hours at most.”

According to the Open Web Application Security Project (OWASP), XSS flaws fall into two categories: Stored, and reflected. TheHell said his exploit attacks a stored XSS vulnerability, in which the injected code is permanently stored on the target servers, such as in a database, message forum, visitor log, or comment field.  The victim’s browser then retrieves the malicious script from the server when it requests the stored information.

As powerful as XSS attacks can be, they are unfortunately also extremely common. Xssed.com, the definitive archive of reported XSS vulnerabilities, lets users index them by Google Pagerank, making it quite easy to find several examples of other unfixed and recently-patched XSS flaws in yahoo.com and other properties. Also, the Open Source Vulnerability Database (OSVDB) lists new and fixed vulnerabilities by vendor.

These types of vulnerabilities are a good reminder to be especially cautious about clicking links in emails from strangers or in messages that you were not expecting.

You don’t have to cater to cybercrooks to make money finding vulnerabilities in software, hardware and online services. Many companies pay researchers to report flaws, including FacebookGoogle, Mozilla, CCBill and Piwik. Yahoo doesn’t have a bug bounty program, but if it modeled one after Google’s program this vulnerability would be worth $1,337. Also, Verisign’s iDefense and Tipping Point both purchase vulnerability research.

In addition, a number of companies allow researchers to legally probe their networks and services for vulnerabilities. The list below comes from the blog of noted security expert Dan Kaminsky:

Paypal
Salesforce
Microsoft
Twitter
eBay
Adobe
Reddit
GitHub
Constant Contact
37 Signals
Zeggio
Simplify, LLC
Team Unify
Skoodat
Relaso
Modus CSR
CloudNetz
EMPTrust
Apriva

This entry was posted on Friday 23rd of November 2012 12:01 AM


21 thoughts on “Yahoo Email-Stealing Exploit Fetches $700

  1. Uzzi

    Broken security is broken?! … is *blacklisting* code and/or offending URLs really best practice or is it just me who’s puzzled? (Hope they have fun “watching the video” to identify “the exact yahoo.com URL that triggers the exploit”… */facepalm*)

  2. NA

    Really Brain…Why are you so protective to not say the site this is from? You literally copy/pasted from the sale thread, might as well as do a thorough post and not forget the details.

  3. xit

    NA you forget to add the people over at Yahoo must posses magical powers if they think watching this video will allow them to identify or patch anything.

  4. Rabid Howler Monkey

    A question: Does using an email client configured with SSL or TLS provide more security than using a web browser for email? One would at least be safe from XSS flaws in web sites and browsers.

    1. BrianKrebs Post author

      I think it depends. With this attack, it would still work if you clicked the link in your email client and were signed in to yahoo.com, or had it set to remember your cookie and not bother you for a password.

  5. Phoenix

    I think this isn’t the first time Yahoo email got hit. Another party’s account was hit and got my email address and sent me some malicious junk. I use a mail client, Mozilla Thunderbird, and keep the online boxes, including trash, emptied.

  6. nonegiven

    There are a lot of reports that people are getting texts, calling them by name, from textplus numbers wanting the recipient to add an unknown person to Y! Messenger. They seem to be getting names and mobile numbers from Facebook. I wonder if the plan is to hijack the email accounts, using this exploit.

  7. manu2411

    A XSS able to steal session cookie? It suggests Yahoo session cookie is not set with the httpOnly flag, which make a cookie unaccessible by JavaScript. Is there any good reason why Yahoo would not use that flag?

  8. George A.

    Using Firefox 17 with NoScript I received the yellow xss warning bar across the top. Curiously when just before updating to FF 17 and still running FF 16.2, I received no warning.

    1. Rabid Howler Monkey

      A forum thread on your observation at informaction.com (no resolution yet):

      “Problem XSS error on att.yahoo.com
      http://forums.informaction.com/viewtopic.php?f=7&t=11047&p=45460&hilit=yahoo+xss%E2%80%A6#p45460

      Another interesting forum thread at informaction.com:

      “XSS @ mail.yahoo.com
      http://forums.informaction.com/viewtopic.php?f=7&t=9528&p=45526&hilit=yahoo+xss%E2%80%A6#p45526

      The last post, dated November 24, 2012, described being asked to confirm password when logging out of mail.yahoo.com. This was also after upgrading to Firefox 17.0.

  9. Duh

    It looks like the XSS is actually on groups.yahoo.com, but because they share the same session cookie and mail is a higher target, mail is what is being advertised.

  10. Duh

    You can see it bounce over to “groups.yahoo.com” at 28 seconds into the video. This isn’t an issue directly affecting mail at all.

    1. lokipaki

      all yahoo XSS-es are used exactly for your email session. Regardless groups or anything you see.

      But since you mentioned the 28 second was also a hint so hackers could steal the info about the XSS and yahoo find out what to patch. In fact it was patched by now.

  11. Rob

    Sounds like this is the way my Yahoo account was hijacked. All I did was click a link from my iPhone mail app, and next thing I knew, the same link was being forwarded from my account. Here are two blogs that post about being stung by the same link that got me, a site that looked like an MSN domain, upon quick glance (I didn’t want to post the direct link but you’ll see it in these blogs).

    http://ask.metafilter.com/228755/Is-this-a-legitimate-article#3311406

    http://kiddynamitesworld.com/come-all-ye-computer-geeks-and-listen-to-my-email-virus-tale/

    1. Uzzi

      So you clicked on a link that looked like something at MSN but obfuscated a site in russia (178.208.137.39) and took over your account to spam all your contacts and/or others…

      While Google Safe Browsing, Norton Safe Web, VirusTotal and all others said the site was clean they can’t verify what code was delivered if someone came with a HTTP referer that told them you are their spam vitim. (And retroactively nobody can tell because the domain was deleted – although there are many clones out there…)

      At least change your passwords… (and NEVER EVER click any links you are not absolutely sure that they are safe again – particularly if received by email).

      1. theodore

        Also, if you can, verify that the link you’re clicking on matches the embedded url of the link.

  12. Stephano

    This forum does not stop to amaze from time to time, now there is a zeroday in java being sold

  13. Shadow

    It’s just like my mother would tell me, if you’re going to use cross site requests, you’d better call GET instead of POST, else you’re going to have a bad day.

Comments are closed.