Yahoo! (Getty)

Security expert Brian Krebs dropped a bomb on Yahoo email users last week, though his warning was probably lost in the roar of stories about Black Friday fistfights. According to Mr. Krebs, an Egyptian hacker using the screen name TheHell is selling a Yahoo Mail exploit that could allow an attacker to take over and control a victim's email and browser activity. TheHell is only charging $700 for the information.

TheHell uploaded a video demonstration to prove he was serious. Mr. Krebs reproduced the video, which you can watch below.

According to Mr. Krebs, the hacker implied his $700 asking price was a bargain:

"I'm selling Yahoo stored xss that steal Yahoo emails cookies and works on ALL browsers," wrote the vendor of this exploit, using the hacker handle 'TheHell.' "And you don’t need to bypass IE or Chrome xss filter as it do that itself because it’s stored xss. Prices around for such exploit is $1,100 – $1,500, while I offer it here for $700. Will sell only to trusted people cuz I don't want it to be patched soon!"

Yahoo's security director, Ramses Martinez, told Mr. Krebs that fixing the exploit itself isn't too hard--the problem is finding the weak Yahoo URL that allows the hacker to take control.

"Once we figure out the offending URL," said Mr. Martinez, "we can have new code deployed in a few hours."

Mr. Krebs noted that Yahoo doesn't pay hackers who notify the company about vulnerabilities like this. Several other companies do, Mr. Krebs writes, "including Facebook, Google, Mozilla, CCBill and Piwik."

As for ensuring you don't fall prey to such a hack, always engage extreme caution when opening emails containing links, especially if they come from unfamiliar sources. Like guys who call themselves TheHell, for instance.

Chinese flag

Telvent, which provides services that facilitate remote control and monitoring of large sections of the energy industry, may have recently fallen prey to Chinese hackers. While notifications about the Sept. 10 systems intrusion were distributed by Telvent Canada, Ltd., the cyber attack was "sophisticated" and targeted operations in the U.S. and Spain as well as Canada.

Security experts believe the culprits are a group of Chinese hackers who have attacked Western companies in the past.

Krebs on Security explains more about the hack:

Telvent said the attacker(s) installed malicious software and stole project files related to one of its core offerings — OASyS SCADA — a product that helps energy firms mesh older IT assets with more advanced "smart grid" technologies.

The firm said it was still investigating the incident, but that as a precautionary measure, it had disconnected the usual data links between clients and affected portions of its internal networks.

Krebs also viewed documents that explained that the malware used in the attack suggested the intruders may have been Chinese hackers known as both Byzantine Candor and the Comment Group. As Krebs notes, Bloomberg News has taken a deep dive into possible Comment Group exploits.

The hackers, whom many experts believe are part of the Chinese military establishment, have struck targets as diverse as Halliburton Co., Canadian court officials and the president of the European Union Council.

It's probably just a coincidence, but Saturday, just a few days after Krebs on Security first reported the Telvent intrusion, Rogers Internet, which services millions of Canadian customers, had a sustained and serious service outage. That just doesn't sound subtle enough for an outfit like the Comment Group.