Yahoo Mail hijacking exploit selling for $700

XSS vulnerability allows attacks to steal and replace tracking cookies, as well as read and send e-mail from a victim's account.

Steven Musil
Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
2 min read

An exploit selling for $700 may put millions of Yahoo Mail users at risk of having their e-mail account hijacked and their browsers redirected to malicious sites.

Marketed by an allegedly Egyptian hacker on a cybercrime forum, the exploit targets a cross-site scripting (XSS) vulnerability in Yahoo.com that allows attackers to steal and replace tracking cookies, as well as read and send e-mail from a victim's account. Typically, an attacker will encode a malicious link in e-mails; the script is executed when the unsuspecting recipient clicks on the link, allowing access to the cookies and other sensitive information.

"After the victim clicks the link, he will be redirected to the e-mail page again," the hacker, who goes by the handle TheHell, said in a demonstration video for the hack (see below). "And you can redirect him to wherever you want."

"I'm selling Yahoo stored xss that steal Yahoo emails cookies and works on ALL browsers," the hacker explained. "And you don't need to bypass IE or Chrome xss filter as it do that itself because it's stored xss. Prices around for such exploit is $1,100 - $1,500, while I offer it here for $700. Will sell only to trusted people cuz I don't want it to be patched soon!"

Yahoo said it quickly repaired the vulnerability after learning about the video.

"We immediately deployed teams to investigate the issue and confirm that the vulnerability has been fixed," Yahoo said in a statement to CNET. "We recommend that users follow simple online security measures such as changing passwords on a regular basis, never clicking on links in e-mails requesting a password and to familiarize themselves with our online safety tips at security.yahoo.com."

Meanwhile, Yahoo tells KrebsOnSecurity.com that while the hole can be easily patched, the challenge lies in locating the hole.

"Fixing it is easy," Yahoo Director of Security Ramses Martinez told KrebsOnSecurity. "Once we figure out the offending URL, we can have new code deployed in a few hours."

The vendor says this XSS flaw falls into the category of a stored vulnerability, which inserts malicious code into a file, database, or back-end system. The malicious script is then retrieved from the server when it requests the stored information.

Updated at 3:20 p.m. PT with Yahoo comment.