Yahoo is investigating the claims of a hacker who is selling an exploit that apparently hijacks Yahoo mail accounts.
The exploit, being sold for $700 by an Egyptian hacker on an exclusive cybercrime forum, targets a cross-site scripting (XSS) weakness in yahoo.com that lets attackers steal cookies from Yahoo! Webmail users.
Such a flaw would let attackers send or read email from the victim’s account. In a typical XSS attack, an attacker sends a malicious link to an unsuspecting user; if the user clicks the link, the script is executed, and can access cookies, session tokens or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.
Demonstrating an apparent flair for marketing, the hacker, under the alias “TheHell” also posted a video on YouTube, providing a demo for potential customers. He claims it works with all browsers and does not require a bypass of XSS filters in either Chrome or Internet Explorer. He also says the exploit will be sold only to trusted individuals who are not likely to turn it over to Yahoo, which would undoubtedly develop a patch that will foil the attack.
“TheHell” claims that his exploit attacks a “stored” XSS flaw. This type of attack injects a code that is permanently stored on targeted servers until it is found and deleted. The malicious code is then passed to the victim’s machine when that particular server is accessed for legitimate download.
A standard phishing attempt is used to access the user’s cookies, from which the attacker can access the person’s email, or take full control of the account.
As of Tuesday morning, Yahoo was in the process of trying to identify the infected URL. Once the identification is successful, the malicious portion of code will be deleted.
This script uses blind SQL injection and boolean enumeration to perform INFORMATION_SCHEMA Mapping.
perl mysql5enum.pl -h [hostname] -u [url] [-q [query]]
perl mysql5enum.pl -h www.target.tld -u http://www.target.tld/vuln.ext?input=24 -q “select system_user()”
– By default, this script will first determine username, version and database name before enumerating the information_schema information.
– When the -q flag is applied, a user can supply any query that returns only a single cell.
– If the exploit or vulnerability requires a single quote, simply tack %27 to the end of the URI.
– This script contains error detection: It will only work on a mysql 5.x database, and knows when its queries have syntax errors.
– This script uses perl’s LibWhisker2 for IDS Evasion (The same as Nikto).
– This script uses the MD5 algorithm for optimization. There are other optimization methods, and this may not work on all sites.
Facebook is the most recent company to come to the bug-bounty party, officially announcing recently that-
“To show our appreciation for our security researchers, we offer a monetary bounty for certain qualifying security bugs.”
Here’s how it works:
To qualify for a bounty, you must:
- Adhere to our Responsible Disclosure Policy
- Be the first person to responsibly disclose the bug
- Report a bug that could compromise the integrity or privacy of Facebook user data, such as: Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF/XSRF), Remote Code Injection.
- Reside in a country not under any current U.S. Sanctions (e.g., North Korea, Libya, Cuba, etc.)
Facebook security team will assess each bug to determine if qualifies.
- A typical bounty is $500 USD
- We may increase the reward for specific bugs
- Only 1 bounty per security bug will be awarded
The following bugs aren’t eligible for a bounty:
- Security bugs in third-party applications (e.g., http://apps.facebook.com/[app_name])
- Security bugs in third-party websites that integrate with Facebook
- Security bugs in Facebook’s corporate infrastructure
- Denial of Service Vulnerabilities
- Spam or Social Engineering techniques
Sign Up: Facebook Official Bug Bounty Page
The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.
It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.
ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
- Intercepting Proxy
- Automated scanner
- Passive scanner
- Brute Force scanner
- Port scanner
- Dynamic SSL certificates
- Beanshell integration
- Easy to install (just requires java 1.6)
- Ease of use a priority
- Comprehensive help pages
- Fully internationalized
- Under active development
- Open source
- Free (no paid for ‘Pro’ version)
- Cross platform
- Involvement actively encouraged
Download: ZAP 1.3.1
MySQL.com, the official website of the database management system of the same name, was today subjected to an attack whereby hackers used SQL injection exploits to gain access to a complete list of usernames and passwords on the site.
News of the attack surfaced when the attackers posted details of the compromise on the Full Disclosure mailing list, publicly listing the contents of database tables used to store member and employee data, but also a small sample of user logins and password hashes.
Owned by Oracle, MySQL is used by millions of websites to store and deliver information, with some of the most popular online services and platforms including WordPress and Joomla utilising the software.
The attack was achieved using “blind SQL injection”, targeting MySQL.com, MySQL.fr, MySQL.de and MySQL.it, but also two Sun domains.
It appears that the attacks were not due to flaws in the MySQL software itself, but flaws in the implementation of their websites.