The method is shown off in a video that was posted on YouTube. A cross-site scripting (XSS) flaw on Yahoo! Mail creates a means to steal cookies and hijack accounts. In order to work, the victim must click on a malcious link. Upon doing so, the user's cookies will be stolen and he or she will be redirected back to the Yahoo! email home page.
"I'm selling Yahoo stored xss that steal Yahoo emails cookies and works on ALL browsers," "TheHell" explained. "And you don't need to bypass IE or Chrome xss filter as it do that itself because it's stored xss."
Yahoo! has been notified and is looking for the security hole, which it says can be fixed in a few hours once discovered. They says this XSS flaw falls into the category of a stored vulnerability, which inserts malicious code into a file, database, or back-end system. The malicious script is then retrieved from the server when it requests the stored information.