Yahoo XSS exploits going for $700
The latest discovery of a cross-site scripting (XSS) vulnerability on Yahoo is not particularly uncommon, but gives some insight into how exploits for vulnerabilities are priced. According to security blogger Brian Krebs, an exploit being sold by an Egyptian hacker targets an XSS vulnerability in a Yahoo service.
The Egyptian hacker is holding a sale, offering the exploit for $700 where he claims it is usually sold for $1,100 to $1,500 dollars. The hacker is able to sell the exploit several times but does say that he expects the hole it targets to be closed soon. The vulnerability in question has been exploited to allow attackers to steal cookies from Yahoo webmail users. Cookies can then be used to help attackers see the emails of victims or send emails from the hijacked account.
The hacker points out that this is a "stored XSS" which "works with all browsers". Stored XSS means that the injected code is being permanantly stored on the targeted server – in this case at Yahoo. This is possible if, for example, it was stored in the input fields of a comment in a user forum which was later sent to the user without filtering. Because the XSS is on the target server, XSS filters on the browser need not be circumvented as it appears to come from the correct site. This is pointed out by the Egyptian hacker who demonstrates this in a video:
Since the script for the XSS is on Yahoo servers, Yahoo has to actively find the compromised Yahoo.com URL through which the XSS is loaded. Director of Security at Yahoo, Ramses Martinez, told Krebs that once the company had figured out the URL it could deploy code to fix the problem in a few hours.
While this seems simple and fast, it doesn't always work this way, at least not for Yahoo. Krebs refers to web sites that collect information about cross-site scripting vulnerabilities, specify whether an XSS is open or closed, and let users index them by Google PageRank. On XSSed.com he found it easy to discover several recently patched or unfixed XSS flaws on Yahoo.com or associated properties. OSVDB, the Open Source Vulnerability Database, now also indexes vulnerabilities by vendor, making this easier still.
Krebs points out that Yahoo, unlike many companies, has no bug bounty program to reward vulnerability hunters for finding problems and responsibly informing the site owners of the problem. The severity of the problem often affects the scale of the bounty which can therefore rise into the tens of thousands of dollars. It's unclear why Yahoo has not adopted such a model when competitors report good results with it.