Visitors Now:
Total Visits:
Total Stories:
Profile image
Story Views

Now:
Last Hour:
Last 24 Hours:
Total:

Millions of Yahoo Mail accounts vulnerable to email hijacking

Tuesday, November 27, 2012 16:52
% of readers think this story is Fact. Add your two cents.

(Before It's News)

An internet hacker has offered to sell code that will allow a person to hijack Yahoo email accounts.

The hacker, said to be an Egyptian who goes by the username TheHell, has offered an exploit for the price of $700 on an underground cyber crime community called Darkode.

It works when AN unsuspecting email user clicks on a malicious hyperlink, sent in an email. By clicking on the link they unwittingly allow a cyber attacker access to their Yahoo Mail account.

‘After the victim clicks the link, he will be redirected to the email page again,’ a YouTube video advertising the hack said.

Online security blogger Brian Krebs noticed the publicity from the suspected hacker last week.

The exploit ‘targets a “cross-site scripting” (XSS) weakness in yahoo.com that lets attackers steal cookies from Yahoo! Webmail users,’ he explained in a blog posting on his website Krebs on Security.

‘Such a flaw would let attackers send or read email from the victim’s account. In a typical XSS attack, an attacker sends a malicious link to an unsuspecting user; if the user clicks the link, the script is executed, and can access cookies, session tokens or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page,’ he added.

Krebs informed Yahoo about the intended attack and the internet company said their security team is responding by fixing any potential vulnerabilities.

‘Fixing it is easy,’ Ramses Martinez, Yahoo director of security told Krebs.

‘Once we figure out the offending URL, we can have new code deployed in a few hours.’

But the hacker seemed to anticipate the company would evolve their code once the malicious link began to circulate.

The mastermind of the attack said the exploit would only be sold to a small group of ‘trusted people’ to prevent it from being patched or modified to fix the bug.

Krebs noted that TheHell does not seem to be focused on reaping a profit from the endeavor since web search engines like Yahoo and Google offer more to hackers to report the bugs.

Google pays as much as $1,337 for vulnerabilities that are reported, according to Krebs.

Source



    Source:

    Report abuse

    Comments

    Your Comments
    Question   Razz  Sad   Evil  Exclaim  Smile  Redface  Biggrin  Surprised  Eek   Confused   Cool  LOL   Mad   Twisted  Rolleyes   Wink  Idea  Arrow  Neutral  Cry   Mr. Green

    Top Stories
    Recent Stories

    Register

    Newsletter

    Email this story
    Email this story

    If you really want to ban this commenter, please write down the reason:

    If you really want to disable all recommended stories, click on OK button. After that, you will be redirect to your options page.