Its not mine 🙂
Selling Yahoo Self Spread XSS Worm
About the worm :
The worm self spreads via instant messaging and email.
The worm steals cookies from Yahoo users and uses them to authenticate itself in order to send spam to the contacts of the victim. The spammed contacts recive an ‘interesting’ URL. If they click it, their cookies will be stolen and send to the worm for instant or later use ( depending of config ). It supports proxies ( format check, avaiability check, type check ). The emails and IMs also bypass spam checkers.
About the XSS :
After I disclosed the XSS hole in the Pipes service ( version 1 ),pipes.yahoo.com, I found another one in Pipes, but in the version 2 of it.
The advantage of this UNIQUE XSS :
THE BEST PART :
pax @ secure.cn.com
Some clearing :
YOU WILL NOT DISPATCH IT TO YAHOO
YOU WILL NOT DISCLOSE IT OR SHARE IT
YOU ARE RESPONSABLE FOR IT ( althou I provide you strong privacy for the use of the worm )
YOU CAN HAVE THE SOURCE ONLY IF YOU PROOVE ME THAT THE SOURCE CANNOT BEEN SEEN OR STOLEN BY OTHERS
YOU WILL NOT SHARE OUR FUTURE CONVERSATIONS ( and we will not use Yahoo Messenger )
YOU CAN DO WHATEVER YOU WANT WITH IT ( but don’t break the rules above )
I WILL NOT DISCLOSE YOUR IDENTITY
I WILL NOT ASK SENSITIVE QUESTIONS ( only those which ensure me that you are ok )
I WILL OFFER YOU SUPPORT FOR 6 MONTHS AFTER THE EXCHANGE ( also a limit of 3 XSS backup if this one will get patched, but not shure if it will ever get patched )
I HELD THE RIGHT TO KEEP THE SOURCES AND THE XSS SAFE !
I ACCEPT ONLY WESTERN UNION
IF YOU ARE YAHOO, SUCK ME !
From trusted sources paxnwo isn’t the one that discovered the XSS but the worm is written by him.