A new cross-site scripting exploit that enables attackers to steal cookies and access Yahoo email accounts is for sale in an exclusive underground market for $700, less than half of market value according to the hacker.
The attack steals session cookies for Yahoo email and could allow an attacker to access the account and read or send messages, said Krebs on Security which reported the vulnerability to Yahoo.
The attacker, who goes by the handle TheHell, posted a demo video. He said this is a stored cross-site scripting attack; stored attacks occur when code is permanently stored on the vulnerable server in a database, or even a comment field, OWASP said. Every time a victim requests the stored information, the attack is carried out. This is contrast to a reflected attack where injected code is reflected from a web server to the browser.
TheHell said stored cross-site scripting attacks bypass XSS filters built into browsers such as Chrome and Internet Explorer. He added that such attacks normally go for as much as $1,500.
Victims are sent an email to their Yahoo account and that attacker tries to trick them into clicking on a malicious link, according to TheHell’s video. Once on the site, the attack logs the victim’s cookies and redirects them back to their Yahoo email page. From there, the attacker owns the victims account and can read or send messages.
Yahoo director of security Ramses Martinez told Krebs on Security that his team must find the exact URL that triggers the exploit. There are few indications of what that might be from the video.