IE 11 is not supported. For an optimal experience visit our site on another browser.

$700 Hack Threatens Millions of Yahoo Mail Users

A new exploit being sold for $700 may put tens of millions of Yahoo Mail users at risk.
/ Source:

A new exploit being sold for $700 may put tens of millions of Yahoo Mail users at risk.

Once victims click on a malicious email link, the exploit allows an attacker to steal and replace tracking cookies, while remotely controlling the victims' browsing sessions.

"After the victim clicks the link, he will be redirected to the email page again," a demonstration video for the hack explained. "And you can redirect him to wherever you want."

According to Yahoo, fixing the exploit won't be nearly as difficult as finding it. That's because it's an  XSS flaw  set off by a URL, a hole that can easily be patched, but hard to locate.

"Fixing it is easy," Ramses Martinez, Yahoo director of security, told computer security writer  Brian Krebs. "Once we figure out the offending URL, we can have new code deployed in a few hours."

The exploit is being sold by an Egyptian hacker who goes by "TheHell" and who's taken measures to make sure the patch happens later, rather than sooner.

"While I offer it here for $700. Will sell only to trusted people cuz I don’t want it to be  patched  soon!" TheHell wrote. What's more, "you don't need to bypass IE or Chrome xss filter," he explained

Krebs pointed out that if Yahoo  paid hackers to report bugs  to the company, it might have been worth TheHell's while to turn it in rather than selling it to criminals. If the vulnerability had been Google's, for example, Google would have purchased it for $1,337.

When opening emails, users should approach links with skepticism and be especially wary of any links that come from unexpected or unknown sources.

The Open Web Security Project lists XSS flaws like this among its Top 10 Application Security Risks.