A zero-day vulnerability in yahoo.com that lets attackers hijack Yahoo! email accounts and redirect users to malicious Web sites offers a fascinating glimpse into the underground market for large-scale exploits.
The exploit, being sold for $700 by an Egyptian hacker on an exclusive cybercrime forum, targets a “cross-site scripting” (XSS) weakness in yahoo.com that lets attackers steal cookies from Yahoo! Webmail users. Such a flaw would let attackers send or read email from the victim’s account. In a typical XSS attack, an attacker sends a malicious link to an unsuspecting user; if the user clicks the link, the script is executed, and can access cookies, session tokens or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.
The hacker posted the following video to demonstrate the exploit for potential buyers. I’ve reproduced it and published it to youtube.
“I’m selling Yahoo stored xss that steal Yahoo emails cookies and works on ALL browsers,” wrote the vendor of this exploit, using the hacker handle ‘TheHell.’ “And you don’t need to bypass IE or Chrome xss filter as it do that itself because it’s stored xss. Prices around for such exploit is $1,100 – $1,500, while I offer it here for $700. Will sell only to trusted people cuz I don’t want it to be patched soon!”
KrebsOnSecurity.com alerted Yahoo! to the vulnerability, and the company says it is responding to the issue. Ramses Martinez, director of security at Yahoo!, said the challenge now is working out the exact yahoo.com URL that triggers the exploit, which is difficult to discern from watching the video.
“Fixing it is easy, most XSS are corrected by simple code change,” Martinez said. “Once we figure out the offending URL we can have new code deployed in a few hours at most.”
According to the Open Web Application Security Project (OWASP), XSS flaws fall into two categories: Stored, and reflected. TheHell said his exploit attacks a stored XSS vulnerability, in which the injected code is permanently stored on the target servers, such as in a database, message forum, visitor log, or comment field. The victim’s browser then retrieves the malicious script from the server when it requests the stored information.
As powerful as XSS attacks can be, they are unfortunately also extremely common. Xssed.com, the definitive archive of reported XSS vulnerabilities, lets users index them by Google Pagerank, making it quite easy to find several examples of other unfixed and recently-patched XSS flaws in yahoo.com and other properties. Also, the Open Source Vulnerability Database (OSVDB) lists new and fixed vulnerabilities by vendor.
These types of vulnerabilities are a good reminder to be especially cautious about clicking links in emails from strangers or in messages that you were not expecting.
You don’t have to cater to cybercrooks to make money finding vulnerabilities in software, hardware and online services. Many companies pay researchers to report flaws, including Facebook, Google, Mozilla, CCBill and Piwik. Yahoo doesn’t have a bug bounty program, but if it modeled one after Google’s program this vulnerability would be worth $1,337. Also, Verisign’s iDefense and Tipping Point both purchase vulnerability research.
In addition, a number of companies allow researchers to legally probe their networks and services for vulnerabilities. The list below comes from the blog of noted security expert Dan Kaminsky:
Paypal
Salesforce
Microsoft
Twitter
eBay
Adobe
Reddit
GitHub
Constant Contact
37 Signals
Zeggio
Simplify, LLC
Team Unify
Skoodat
Relaso
Modus CSR
CloudNetz
EMPTrust
Apriva