Yahoo! Chat Add Buddy Without Consent Privacy Issue
Title: Yahoo! Chat Add Buddy Without Consent Privacy Issue
Discovered By: Torseq Tech. <bindshell@xxxxxxxxx>
Date: Friday, May 13, 2005
Services affected: ALL of Yahoo! Chat
Vendor: Yahoo! Inc.
Proof-of-Concept included: Yes
Fix Available: No (needs fixed server-side)
Description: A vulnerability exists in Yahoo!'s Chat servers that allows for
chatters to be added to your friends list completely without their knowledge or
permission of the operation. As a result private status messages can be read
and online Yahoo! Chat activity can be monitored stealthily.
Details:
A feature that can be found in Yahoo! Messenger ver. 5.x/6.0 under the Contacts
tab, "Invite People to Yahoo! Messenger..." and under the "Add people" option
contains a loophole that allows for a person to be added to another person's
friends list completely without their knowledge or consent. This feature allows
for an e-mail to be sent (through Yahoo!'s HTTP servers) inviting another
person to download and use Yahoo! Messenger. In the e-mail (generated from the
template) is a vulnerable link that can be altered to your liking. By
specifying an e-mail address different from the yahoo.com domain names you can
view the template responsible for generating this link and sending the e-mails.
Once the link is tweaked all you need to do is plug it into your browser's
address bar and sign into the Yahoo! account that you want the target to be
added as a friend on. Once signed in the operation is completed.. no
user-interaction required. If you're already signed into yahoo.com then s
imply tweaking the link and surfing to it will complete the operation for you.
Yahoo! is tricked into thinking that a person received an e-mailed invitation
permitting them to add the sender as a friend, and as the result no add buddy
request confirmation is ever sent to the id being added (the supposed "sender"
of this e-mail), exploiting a trust-based relationship. No e-mail needs to be
sent (no invitation) to accomplish this since we already know the link and the
e-mail would infact give us away (since then the receiver could add 'US'
without our knowledge and make them aware of the invitation in the first place
- raising suspicion of the whole intent of the actual invitation).
Link examples:
Skip Add Buddy "Accept" step and add immediately with no steps after signing in:
http://friends.msg.yahoo.com/invite?id=ID_TO_ADD&intl=us&op=add&dl=1
Go through with Add Buddy "Accept" step and add after confirmation of the
operation:
http://friends.msg.yahoo.com/invite?op=accept&id=ID_TO_ADD&intl=us
Where "ID_TO_ADD" would be the id of the person you're wanting to add to your
Yahoo! account that you'd be signing into from these links.
Impact:
With this Yahoo! server 'flaw' you can monitor the online activity of the
people you've added without permission. You can determine whether or not
they're "Available" and read their custom status messages that could contain
private information such as private links and text (phone numbers, away
messages etc).