Millions of Yahoo Mail accounts vulnerable to email hijacking

An internet hacker has offered to sell code that will allow a person to hijack Yahoo email accounts.

The hacker, said to be an Egyptian who goes by the username TheHell, has offered an exploit for the price of $700 on an underground cyber crime community called Darkode.

It works when AN unsuspecting email user clicks on a malicious hyperlink, sent in an email. By clicking on the link they unwittingly allow a cyber attacker access to their Yahoo Mail account.

‘After the victim clicks the link, he will be redirected to the email page again,’ a YouTube video advertising the hack said.

Online security blogger Brian Krebs noticed the publicity from the suspected hacker last week.

The exploit ‘targets a “cross-site scripting” (XSS) weakness in that lets attackers steal cookies from Yahoo! Webmail users,’ he explained in a blog posting on his website Krebs on Security.

‘Such a flaw would let attackers send or read email from the victim’s account. In a typical XSS attack, an attacker sends a malicious link to an unsuspecting user; if the user clicks the link, the script is executed, and can access cookies, session tokens or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page,’ he added.

Krebs informed Yahoo about the intended attack and the internet company said their security team is responding by fixing any potential vulnerabilities.

‘Fixing it is easy,’ Ramses Martinez, Yahoo director of security told Krebs.

‘Once we figure out the offending URL, we can have new code deployed in a few hours.’

But the hacker seemed to anticipate the company would evolve their code once the malicious link began to circulate.

The mastermind of the attack said the exploit would only be sold to a small group of ‘trusted people’ to prevent it from being patched or modified to fix the bug.

Krebs noted that TheHell does not seem to be focused on reaping a profit from the endeavor since web search engines like Yahoo and Google offer more to hackers to report the bugs.

Google pays as much as $1,337 for vulnerabilities that are reported, according to Krebs.