Yahoo Mail

Granny says, "All ya'll Yahoo email account users better lissen up...
:eusa_eh:
If You Have a Yahoo! Email Account and Value Your Privacy, You Will Want to Read This
November 27, 2012 - A hacker is capitalizing on a Yahoo! flaw that could allow email accounts to become compromised and could trick users into clicking on malicious websites. But criminal hackers will have to pay to obtain details about how to conduct this hack. The cost: $700.
Brian Krebs on his blog Krebs on Security reported last week that an Egyptian hacker was offering this deal on an “exclusive cybercrime forum” called Darkode. The hack itself steals cookies, which Krebs explains leads hackers into their target’s account where they can send or read emails. Here’s how the hacker going by “The Hell” advertised his exploit, according to Krebs: “I’m selling Yahoo stored xss that steal Yahoo emails cookies and works on ALL browsers. And you don’t need to bypass IE or Chrome xss filter as it do that itself because it’s stored xss. Prices around for such exploit is $1,100 – $1,500, while I offer it here for $700. Will sell only to trusted people cuz I don’t want it to be patched soon!”

Krebs writes that he contacted Yahoo! to alert them of the problem and was told the vulnerability will be relatively easy to fix. “Fixing it is easy, most XSS are corrected by simple code change,” Ramses Martinez, director of Yahoo! security, said to Krebs. “Once we figure out the offending URL we can have new code deployed in a few hours at most.” Until that URL is identified, Krebs noted that the vulnerability serves to remind users to be careful when clicking on links from strangers or that are in odd messages.

Source
Click to expand...

See also:

Yahoo Email-Stealing Exploit Fetches $700
A zero-day vulnerability in yahoo.com that lets attackers hijack Yahoo! email accounts and redirect users to malicious Web sites offers a fascinating glimpse into the underground market for large-scale exploits.
The exploit, being sold for $700 by an Egyptian hacker on an exclusive cybercrime forum, targets a “cross-site scripting” (XSS) weakness in yahoo.com that lets attackers steal cookies from Yahoo! Webmail users. Such a flaw would let attackers send or read email from the victim’s account. In a typical XSS attack, an attacker sends a malicious link to an unsuspecting user; if the user clicks the link, the script is executed, and can access cookies, session tokens or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.

The hacker posted the following video to demonstrate the exploit for potential buyers. I’ve reproduced it and published it to youtube. “I’m selling Yahoo stored xss that steal Yahoo emails cookies and works on ALL browsers,” wrote the vendor of this exploit, using the hacker handle ‘TheHell.’ “And you don’t need to bypass IE or Chrome xss filter as it do that itself because it’s stored xss. Prices around for such exploit is $1,100 – $1,500, while I offer it here for $700. Will sell only to trusted people cuz I don’t want it to be patched soon!”

KrebsOnSecurity.com alerted Yahoo! to the vulnerability, and the company says it is responding to the issue. Ramses Martinez, director of security at Yahoo!, said the challenge now is working out the exact yahoo.com URL that triggers the exploit, which is difficult to discern from watching the video. “Fixing it is easy, most XSS are corrected by simple code change,” Martinez said. “Once we figure out the offending URL we can have new code deployed in a few hours at most.”

According to the Open Web Application Security Project (OWASP), XSS flaws fall into two categories: Stored, and reflected. TheHell said his exploit attacks a stored XSS vulnerability, in which the injected code is permanently stored on the target servers, such as in a database, message forum, visitor log, or comment field. The victim’s browser then retrieves the malicious script from the server when it requests the stored information. As powerful as XSS attacks can be, they are unfortunately also extremely common. Xssed.com, the definitive archive of reported XSS vulnerabilities, lets users index them by Google Pagerank, making it quite easy to find several examples of other unfixed and recently-patched XSS flaws in yahoo.com and other properties. Also, the Open Source Vulnerability Database (OSVDB) lists new and fixed vulnerabilities by vendor.

These types of vulnerabilities are a good reminder to be especially cautious about clicking links in emails from strangers or in messages that you were not expecting. You don’t have to cater to cybercrooks to make money finding vulnerabilities in software, hardware and online services. Many companies pay researchers to report flaws, including Facebook, Google, Mozilla, CCBill and Piwik. Yahoo doesn’t have a bug bounty program, but if it modeled one after Google’s program this vulnerability would be worth $1,337. Also, Verisign’s iDefense and Tipping Point both purchase vulnerability research.

MORE
Click to expand...
 
My yahoo was compromised a while ago. I have not gone back on it and opened another email service.
 
Connery said:
My yahoo was compromised a while ago. I have not gone back on it and opened another email service.
Click to expand...

Well, I don't know how they got into my Gmail but buried in my Trash folder (which I neglected to "delete forever") was a year old scan of a bank wire transfer order. With my signature. I was a fucking idiot for not making sure to erase all that shit.

Someone duplicated it, filled in their own info, and convinced the branch manager that it was me requesting that $68,000 be wired from our corporate account to Malaysia. I can not fucking believe the gal fell for it.

It gets worse. FBI notified, etc. Fuck me. Fuck the bank.
 
Mr. H. said:
Connery said:
My yahoo was compromised a while ago. I have not gone back on it and opened another email service.
Click to expand...

Well, I don't know how they got into my Gmail but buried in my Trash folder (which I neglected to "delete forever") was a year old scan of a bank wire transfer order. With my signature. I was a fucking idiot for not making sure to erase all that shit.

Someone duplicated it, filled in their own info, and convinced the branch manager that it was me requesting that $68,000 be wired from our corporate account to Malaysia. I can not fucking believe the gal fell for it.

It gets worse. FBI notified, etc. Fuck me. Fuck the bank.
Click to expand...

That is truly a nightmare. Was the bank held responsible for their own stupidity?
 
You must log in or register to reply here.

Attention Linux gurus...

< Previous Thread

Bored? Game: equires Flash

Next Thread >

Similar threads

Flopper
ID Theft - If you think this can't happen to you, then you should take a look at this post
2
Replies
21
Views
202
Flopper
Flopper
Baron
Khuev's junta want to murder 450,000-500,000 more Ukrainians
Replies
0
Views
105
Baron
Baron
JohnMoorr
The trail of the terrorist attack wanders and wobbles, but still leads to Kyiv
Replies
0
Views
138
JohnMoorr
JohnMoorr
IM2
GOP candidates skip Iowa’s only minority-focused forum
2
Replies
33
Views
415
Nostra
Nostra
DGS49
Golfers? "Swing Thoughts"
Replies
4
Views
183
DGS49
DGS49

Latest Discussions

Deplorable Yankee
Like riding the subway through the ghetto
Replies
5
Views
31
Lisa558
L
Z
some say, if the wrong man wins, i will leave the US. But … where to?
2 3
Replies
54
Views
309
Sparker
Sparker
IM2
They Used to Love Charles Barkley But This is What he Said About Black Trump Supporters
Replies
3
Views
37
Hellokitty
Hellokitty
IM2
Why Does the Right Focus So Much on the Penny Ante Street Criminal and not the Criminals who steal Peoples Life savings?
2 3
Replies
44
Views
131
pknopp
pknopp
kyzr
  • Poll
Predict the 2024 presidential election. Not who you will vote for, but who will win & why. (Poll)
3 4 5
Replies
92
Views
369
Mac1958
Mac1958
View more…

Forum List

Back
Top