Yahoo Messenger 0-Day Exploit allow status message hijacking

Posted: December 4, 2011 in Vulnerabilities

Security researchers have discovered an unpatched flaw in Yahoo! Messenger that allows miscreants to change any user’s status message. The vulnerability was discovered in the wild by security researchers from antivirus vendor BitDefender while investigating a customer’s report about unusual Yahoo Messenger behavior.

The zero-day exploit is present in versions 11.x of the Yahoo Messenger client – including the very last released version. The flaw appears to be located in the application’s file transfer API (application programming interface) and allows attackers to send malformed requests that result in the execution of commands without any interaction from victims.
An attacker can write a script in less than 50 lines of code to malform the message sent via the YIM protocol to the victim,” said Bogdan Botezatu, an e-threats analysis & communication specialist at BitDefender. “Status changing appears to be only one of the things the attacker can abuse. We’re currently investigating what other things they may achieve,” he added.
The attacker sends a supposed file to a target that is actually an iframe that swaps the status message for the attacker’s customised text. If successfully executed, a victim will have no indication that his or her status message has been rewritten. The ruse might be used to gain affiliate incomes by promoting dodgy sites as well as directing users towards sites loaded with exploits or scareware scams.
This vulnerability can be leveraged by attackers to earn money through affiliate marketing schemes by driving traffic to certain websites or to spam malicious links that point to drive-by download pages.Drive-by download attacks exploit unpatched vulnerabilities in browser plug-ins like Java, Flash Player, or Adobe Reader, and are currently one of the primary methods of distributing malware.
It advises users to change the setting of their IM client to “Ignore anyone who is not in your Yahoo! Contacts” (which is off by default) as a precaution pending the release of a patch. The researchers say that they have contacted Yahoo! and sent the proof-of-concept code and the documentation to them, so let’s hope the bug will be fixed soon.
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s