mailing list archives
Yahoo! Chat Add Buddy Without Consent Privacy Issue
From: Torseq Tech. <bindshell () gmail com>
Date: 14 May 2005 03:44:37 -0000
Title: Yahoo! Chat Add Buddy Without Consent Privacy Issue
Discovered By: Torseq Tech. <bindshell () gmail com>
Date: Friday, May 13, 2005
Services affected: ALL of Yahoo! Chat
Vendor: Yahoo! Inc.
Proof-of-Concept included: Yes
Fix Available: No (needs fixed server-side)
Description: A vulnerability exists in Yahoo!'s Chat servers that allows for chatters to be added to your friends list
completely without their knowledge or permission of the operation. As a result private status messages can be read and
online Yahoo! Chat activity can be monitored stealthily.
A feature that can be found in Yahoo! Messenger ver. 5.x/6.0 under the Contacts tab, "Invite People to Yahoo!
Messenger..." and under the "Add people" option contains a loophole that allows for a person to be added to another
person's friends list completely without their knowledge or consent. This feature allows for an e-mail to be sent
(through Yahoo!'s HTTP servers) inviting another person to download and use Yahoo! Messenger. In the e-mail (generated
from the template) is a vulnerable link that can be altered to your liking. By specifying an e-mail address different
from the yahoo.com domain names you can view the template responsible for generating this link and sending the e-mails.
Once the link is tweaked all you need to do is plug it into your browser's address bar and sign into the Yahoo! account
that you want the target to be added as a friend on. Once signed in the operation is completed.. no user-interaction
required. If you're already signed into yahoo.com then s
imply tweaking the link and surfing to it will complete the operation for you.
Yahoo! is tricked into thinking that a person received an e-mailed invitation permitting them to add the sender as a
friend, and as the result no add buddy request confirmation is ever sent to the id being added (the supposed "sender"
of this e-mail), exploiting a trust-based relationship. No e-mail needs to be sent (no invitation) to accomplish this
since we already know the link and the e-mail would infact give us away (since then the receiver could add 'US' without
our knowledge and make them aware of the invitation in the first place - raising suspicion of the whole intent of the
Skip Add Buddy "Accept" step and add immediately with no steps after signing in:
Go through with Add Buddy "Accept" step and add after confirmation of the operation:
Where "ID_TO_ADD" would be the id of the person you're wanting to add to your Yahoo! account that you'd be signing into
from these links.
With this Yahoo! server 'flaw' you can monitor the online activity of the people you've added without permission. You
can determine whether or not they're "Available" and read their custom status messages that could contain private
information such as private links and text (phone numbers, away messages etc).
- Yahoo! Chat Add Buddy Without Consent Privacy Issue Torseq Tech . (May 13)