- This topic has 21 replies, 10 voices, and was last updated 20 years, 9 months ago by
.
-
Posts
-
Yahoo! Chat Add Buddy Security Hole
A feature that can be found in Yahoo! Messenger ver. 5.x/6.0 under the Contacts tab, “Invite People to Yahoo! Messenger” and under the “Add people” option contains a loophole that allows for a person to be added to another person’s friends list completely without their knowledge or consent.
This feature allows for an e-mail to be sent (through Yahoo!’s HTTP servers) inviting another person to download and use Yahoo! Messenger.
In the e-mail (generated from the template) is a vulnerable link that can be altered to your liking.
By specifying an e-mail address different from the yahoo.com domain names you can view the template responsible for generating this link and sending the e-mails.
Once the link is tweaked all you need to do is plug it into your browser’s address bar and sign into the Yahoo! account that you want the target to be added as a friend on.
Once signed in the operation is completed.. no user-interaction required. If you’re already signed into yahoo.com then simply tweaking the link and surfing to it will complete the operation for you.
Yahoo! is tricked into thinking that a person received an e-mailed invitation permitting them to add the sender as a friend, and as the result no add buddy request confirmation is ever sent to the id being added (the supposed “sender” of this e-mail), exploiting a trust-based relationship.
No e-mail needs to be sent (no invitation) to accomplish this since we already know the link and the e-mail would infact give us away (since then the receiver could add ‘US’ without our knowledge and make them aware of the invitation in the first place – raising suspicion of the whole intent of the actual invitation).
Security Hole Information
Discovered By: Torseq Tech
Date: Friday, May 13, 2005
Services affected: ALL of Yahoo! Chat
Vendor: Yahoo! Inc.
Proof-of-Concept included: Yes
Fix Available: No (needs fixed server-side)
Description: A vulnerability exists in Yahoo!’s Chat servers that allows for chatters to be added to your friends list completely without their knowledge or permission of the operation.Impact:
With this Yahoo! server ‘flaw’ you can monitor the online activity of the people you’ve added without permission.
You can determine whether or not they’re “Available” and read their custom status messages that could contain private information such as private links and text (phone numbers, away messages etc).
Source : SecurityFocus
Did this Flaw actually work for you?
All it reports back here is to try another time or use messenger.
Either it dont work or Yahoo! quickly patched it.
Hopefully so.
It works perfectly !
Just copy the link at the bottom from “Contacts” => “Invite people to Yahoo! Messenger” and replace the given ID with the one you want to be added to your friends list.
friends.msg.yahoo.com/invite?op=accept&id=ID_you_want_to_add&intl=us&sig=your_signiture_code
example:
[html]friends.msg.yahoo.com/invite?op=accept&id=myfriend&intl=us&sig=abcdef[/html]Paste it into your browser and you will be directed to the yahoo login page. After you login with your ID and click ok in the next page you will have a new “non-mutual” friend 😉 He will be added to your friends list but not to the address book. Even if he’s online he will be shown offline until you or him relogin.
I don’t see why you would want to do this. Seems pretty sneaky to me. If someone wanted you to know what they’re doing they’d let you know but I guess there’s no privacy nowadays and it’s the norm.
True miamiguy, i see no point
Who puts there personal details on a status message anyways?
thats “dumb”..
They can add you but if you have pm’s set to friends only that means you still dont get their pm’s..etc
You have to accept to actually get them on your list.
I am torn between the privacy issue of this, etc. I know that this can be used to mess with people, or keep pm’ing them, or view their cam, etc. However, I have and still use similar programs, but only for my own purpose.
For example, as everyone knows there are hundreds of thousands of different personality type on yahoo. Most of which I can tolerate. However, there are a few, that with their immature attitude, I can’t handle and don’t want to even be in the same room as they are. So, if I see them online on my friends list, then I will just stay out of that particular room.
In my opinion I am preventing an argument and disruption of an entire room.
As the saying goes…. Keep your friends close…. but your enemies closer.
So I can’t really comment on the privacy issue, etc. But I know what I use it for, and there’s nothing malicious about it.
i doubt you need to add someone to know what room they are in.
You can uses a bot to do a /follow id function on them and retrieve roomname
just like buddyspy and yahbot do.
this is not a real bad exploit as its only as dangerous as the user is stupid.
NEVER!! put personal info in chat or on status messages.
Dermot, I’m not adding someone to know what room they are in. I already know what room they hang out in. What I was saying is that if they are on my list, I don’t go in that room.
And your right it’s a great feature, as long as its not used to stalk or whatever.
Its amazing to me… All of this technology , all of these ways to ” hack ” yahoo and to follow people and to add them without their knowledge but no one can come up with a way to find out who has added you so that you can remove them. NO one can come up with a way to have yahoo remember every id you have at login.
When are these people or programmers or yahoo ( even ) going to come up with something useful to people who just want to have a pleasant time on here and enjoy themselves without causing all this chaos and without stalking each other?
You have really good points Carrie. I always think that too…we can remove ourselves, IF we know some one has us on his/her list…yet there’s no way to tell who has us on their lists. It seems to me that there has to be some way, but no one is sharing because THAT could cause another exploit…who knows…it could make things even worse. But it would CERTAINLY be nice to know who has added without consent. Maybe even if Yahoo! gave a summary of the week/month and sent you a list of who added you in that time to CONFIRM that you did indeed accept the addition. Even that would be a start!
I am actually surprised that someone has not tried to update this program. I mean your friends list is actually kept online and not on your computer, so you’d think that someone could find a way to do this. However I suppose then you’d have to have everyone’s user name and password to view their friends list.
Might be something that is just out of the picture for right now.
Netti wrote:I am actually surprised that someone has not tried to update this program. I mean your friends list is actually kept online and not on your computer, so you’d think that someone could find a way to do this. However I suppose then you’d have to have everyone’s user name and password to view their friends list. Might be something that is just out of the picture for right now.It would actually be nice if they could do something like MSN messenger does.. it gives you a list of who has added you and who hasn’t . I’m surprised yahoo hasn’t come up with something like this. I’ve emailed them and complained constantly even ” suggested ” it many times. But still they haven’t thought it necessary , I guess. It would stop a lot of stalker problems and such . Knowing how every one values their privacy you’d think they would consider it.
For those of you that still think this works, it doesn’t. Yahoo! fixed this several days ago (should have fixed it sooner). “Fixed” as in disabled the functionality altogether until they can make sure that this won’t occur again. When they see that it’s working properly more than likely it’ll be back, but actually informing the added “friends” of the buddy add that took place. This really isn’t anything “new”, way back there was a similar way to add people from a Yahoo! web link. The only difference here is that this was found years later, when Yahoo! was “supposed” to have ‘some’ of their crap together. If anyone else would like to know if adding friends can still be done without informing them I can tell you yes, but, not as conveniently as this past method of doing it. As someone already said in this thread it’s definitely not wise to have important information in your status messages.
- You must be logged in to reply to this topic.