Hacker Tells Yahoo About a Worm and Gets Snubbed. Now He’s Getting Even With a Second One

A photo Pax says is him demonstrating the hack to Yahoo officials at the Bucharest hackathon.

There’s a second part to the story of a hacker who built a malicious worm at a Yahoo-sponsored hackathon in Bucharest that exploits a vulnerability in a Yahoo developer service. The hacker, who goes by Pax, was offended when the hackathon organizers cut short his time on stage due and failed to give him due respect for a clever (though malicious) hack, or thank him and his team partner for exposing a security hole. “They were/are complete assholes,” he said on Twitter after someone commented that the officials’ reaction had turned a white hat effort into a grudge.

So he found a second security hole in another version of the same service, wrote a second virus, and announced he is selling the code.

From the ad:

Selling Yahoo Self Spread XSS Worm

About the worm :

The worm self spreads via instant messaging and email.
The worm steals cookies from Yahoo users and uses them to authenticate itself in order to send spam to the contacts of the victim. The spammed contacts recive an ‘interesting’ URL. If they click it, their cookies will be stolen and send to the worm for instant or later use ( depending of config ). It supports proxies ( format check, avaiability check, type check ). The emails and IMs also bypass spam checkers.

He doesn’t name a price, but specifies that the buyer must use Western Union and promise not to disclose the worm to Yahoo. “IF YOU ARE YAHOO, SUCK ME!” he wrote in the ad.

A Yahoo security researcher attempted to get more details about the new worm from Pax via Twitter, to no avail.

“We have learnt an important lesson about disclosure,” Pax tweeted. “Don’t disclose! Exploit!” Hacker Tells Yahoo About a Worm and Gets Snubbed. Now He’s Getting Even With a Second One