Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
If you have some interesting news or want to throw up a link to discuss it, here's the place. Anything is okay, even shameless vendor launches (since that is often applicable to what we work on). 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
yahoo xss
Posted by: withwing
Date: October 18, 2006 08:03AM

I need a yahoo xss exploit ,please email me and tell me how much.
withwing1@gmail.com

Options: ReplyQuote
Re: yahoo xss
Posted by: Ghozt
Date: October 18, 2006 01:06PM

Offtopic: I found another last night. I'll post it in full disclosure when it gets fixed (probably within 24h).

I highly doubt anyone from here will give you one.

Options: ReplyQuote
Re: yahoo xss
Posted by: maluc
Date: October 18, 2006 07:06PM

lol, withwing.. welcome to the boards. Looks like you get the dubious distinction of being the first skript kiddie here to beg to hack X site -.-

While I don't believe selling such information is illegal (IANAL) .. the seller still might be found liable by the 'probable intent' of the buyer. If someone chooses to help you though, that's their business - but you probably won't find what you're looking for here. Keep an eye on the Full Disclosure forum though and you might get lucky. But as Ghozt said, yahoo fixes their holes fairly fast (i suspect some of their websec guys may lurk here).

-maluc

Options: ReplyQuote
Re: yahoo xss
Posted by: rsnake
Date: October 19, 2006 10:24AM

That's an interesting problem.... think about what http://www.zerodayinitiative.com/ is doing. Selling exploits for cash seems to be an okay business model for them because their intent is non-malicious. How can I know what withwing's intentions are, unless he says so. He could easily be trying to get business with Yahoo by showing what vulnerabilities they have (granted, that is probably the least likely possibility, but still).

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: yahoo xss
Posted by: maluc
Date: October 19, 2006 03:58PM

Indeed, i think ZDI is providing an invaluable service, by giving hackers a way to legitimately compensate their efforts (perhaps even enough to make it their job - but i doubt it). The key being in a legal way.

But IANAJ (judge), so i don't really follow an innocent till proven guilty policy. More like the if it looks&&quacks like a duck, it is.. So perhaps with a legally binding contract that removes the discloser from any liability of forbidden unlawful activity, it'd be acceptable. But i'd bet his 'company' would not agree to that..

-maluc

Options: ReplyQuote


Sorry, only registered users may post in this forum.