$700 Hack Threatens Millions of Yahoo Mail Users
CREDIT: Lyao / Shutterstock.com
A new exploit being sold for $700 may put tens of millions of Yahoo Mail users at risk.
Once victims click on a malicious email link, the exploit allows an attacker to steal and replace tracking cookies, while remotely controlling the victims' browsing sessions.
"After the victim clicks the link, he will be redirected to the email page again," a demonstration video for the hack explained. "And you can redirect him to wherever you want."
According to Yahoo, fixing the exploit won't be nearly as difficult as finding it. That's because it's an XSS flaw set off by a URL, a hole that can easily be patched, but hard to locate.
"Fixing it is easy," Ramses Martinez, Yahoo director of security, told computer security writer Brian Krebs. "Once we figure out the offending URL, we can have new code deployed in a few hours."
The exploit is being sold by an Egyptian hacker who goes by "TheHell" and who's taken measures to make sure the patch happens later, rather than sooner.
"While I offer it here for $700. Will sell only to trusted people cuz I don’t want it to be patched soon!" TheHell wrote. What's more, "you don't need to bypass IE or Chrome xss filter," he explained
Krebs pointed out that if Yahoo paid hackers to report bugs to the company, it might have been worth TheHell's while to turn it in rather than selling it to criminals. If the vulnerability had been Google's, for example, Google would have purchased it for $1,337.
When opening emails, users should approach links with skepticism and be especially wary of any links that come from unexpected or unknown sources.
The Open Web Security Project lists XSS flaws like this among its Top 10 Application Security Risks.