[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050514034437.9347.qmail@www.securityfocus.com>
Date: 14 May 2005 03:44:37 -0000
From: Torseq Tech. <bindshell@...il.com>
To: bugtraq@...urityfocus.com
Subject: Yahoo! Chat Add Buddy Without Consent Privacy Issue
Title: Yahoo! Chat Add Buddy Without Consent Privacy Issue
Discovered By: Torseq Tech. <bindshell@...il.com>
Date: Friday, May 13, 2005
Services affected: ALL of Yahoo! Chat
Vendor: Yahoo! Inc.
Proof-of-Concept included: Yes
Fix Available: No (needs fixed server-side)
Description: A vulnerability exists in Yahoo!'s Chat servers that allows for chatters to be added to your friends list completely without their knowledge or permission of the operation. As a result private status messages can be read and online Yahoo! Chat activity can be monitored stealthily.
Details:
A feature that can be found in Yahoo! Messenger ver. 5.x/6.0 under the Contacts tab, "Invite People to Yahoo! Messenger..." and under the "Add people" option contains a loophole that allows for a person to be added to another person's friends list completely without their knowledge or consent. This feature allows for an e-mail to be sent (through Yahoo!'s HTTP servers) inviting another person to download and use Yahoo! Messenger. In the e-mail (generated from the template) is a vulnerable link that can be altered to your liking. By specifying an e-mail address different from the yahoo.com domain names you can view the template responsible for generating this link and sending the e-mails. Once the link is tweaked all you need to do is plug it into your browser's address bar and sign into the Yahoo! account that you want the target to be added as a friend on. Once signed in the operation is completed.. no user-interaction required. If you're already signed into yahoo.com then s
imply tweaking the link and surfing to it will complete the operation for you.
Yahoo! is tricked into thinking that a person received an e-mailed invitation permitting them to add the sender as a friend, and as the result no add buddy request confirmation is ever sent to the id being added (the supposed "sender" of this e-mail), exploiting a trust-based relationship. No e-mail needs to be sent (no invitation) to accomplish this since we already know the link and the e-mail would infact give us away (since then the receiver could add 'US' without our knowledge and make them aware of the invitation in the first place - raising suspicion of the whole intent of the actual invitation).
Link examples:
Skip Add Buddy "Accept" step and add immediately with no steps after signing in:
http://friends.msg.yahoo.com/invite?id=ID_TO_ADD&intl=us&op=add&dl=1
Go through with Add Buddy "Accept" step and add after confirmation of the operation:
http://friends.msg.yahoo.com/invite?op=accept&id=ID_TO_ADD&intl=us
Where "ID_TO_ADD" would be the id of the person you're wanting to add to your Yahoo! account that you'd be signing into from these links.
Impact:
With this Yahoo! server 'flaw' you can monitor the online activity of the people you've added without permission. You can determine whether or not they're "Available" and read their custom status messages that could contain private information such as private links and text (phone numbers, away messages etc).
Powered by blists - more mailing lists