Yahoo Messenger 0-Day Exploit allow status message hijacking

Security researchers have discovered an unpatched flaw in Yahoo! Messenger that allows miscreants to change any user's status message. The vulnerability was discovered in the wild by security researchers from antivirus vendor BitDefender while investigating a customer's report about unusual Yahoo Messenger behavior.

The zero-day exploit is present in versions 11.x of the Yahoo Messenger client - including the very last released version. The flaw appears to be located in the application's file transfer API (application programming interface) and allows attackers to send malformed requests that result in the execution of commands without any interaction from victims.

"An attacker can write a script in less than 50 lines of code to malform the message sent via the YIM protocol to the victim," said Bogdan Botezatu, an e-threats analysis & communication specialist at BitDefender. "Status changing appears to be only one of the things the attacker can abuse. We're currently investigating what other things they may achieve," he added.

The attacker sends a supposed file to a target that is actually an iframe that swaps the status message for the attacker's customised text. If successfully executed, a victim will have no indication that his or her status message has been rewritten. The ruse might be used to gain affiliate incomes by promoting dodgy sites as well as directing users towards sites loaded with exploits or scareware scams.

PcWorld said "This vulnerability can be leveraged by attackers to earn money through affiliate marketing schemes by driving traffic to certain websites or to spam malicious links that point to drive-by download pages.Drive-by download attacks exploit unpatched vulnerabilities in browser plug-ins like Java, Flash Player, or Adobe Reader, and are currently one of the primary methods of distributing malware."

It advises users to change the setting of their IM client to “Ignore anyone who is not in your Yahoo! Contacts" (which is off by default) as a precaution pending the release of a patch. The researchers say that they have contacted Yahoo! and sent the proof-of-concept code and the documentation to them, so let's hope the bug will be fixed soon.