A hacker is selling a $700 zero-day exploit for Yahoo Mail that lets an attacker leverage a cross-site scripting (XSS) vulnerability to steal cookies and hijack accounts.
The hacker, who goes by the handle TheHell, created a video to market the exploit on Darkode, an exclusive underground cybercrime market.
In the video, which security blogger Brian Krebs reproduced and posted to YouTube, TheHell demonstrates how to access a victim's account.
First, an attacker would need to lure a victim into clicking on a maliciously crafted link.
According to the video, once a victim opens that link, a logger records his cookies. The victim is redirected back to the Yahoo email page. The attacker can then redirect the victim's browsing session at will.
The cookies logger replaces the cookies it stole, the video claims, and allows the attacker to log in to the hijacked Yahoo email account.
[video=youtube]http://www.youtube.com/watch?&v=iBXvebXo-F4[/video]
Read more: http://nakedsecurity.sophos.com/2012/11/26/hacker-selling-yahoo-exploit/
