<<< Date Index >>>     <<< Thread Index >>>

Yahoo! Chat Add Buddy Without Consent Privacy Issue




Title: Yahoo! Chat Add Buddy Without Consent Privacy Issue
Discovered By: Torseq Tech. <bindshell@xxxxxxxxx>
Date: Friday, May 13, 2005
Services affected: ALL of Yahoo! Chat
Vendor: Yahoo! Inc.
Proof-of-Concept included: Yes
Fix Available: No (needs fixed server-side)
Description: A vulnerability exists in Yahoo!'s Chat servers that allows for 
chatters to be added to your friends list completely without their knowledge or 
permission of the operation. As a result private status messages can be read 
and online Yahoo! Chat activity can be monitored stealthily.


Details:

A feature that can be found in Yahoo! Messenger ver. 5.x/6.0 under the Contacts 
tab, "Invite People to Yahoo! Messenger..." and under the "Add people" option 
contains a loophole that allows for a person to be added to another person's 
friends list completely without their knowledge or consent. This feature allows 
for an e-mail to be sent (through Yahoo!'s HTTP servers) inviting another 
person to download and use Yahoo! Messenger. In the e-mail (generated from the 
template) is a vulnerable link that can be altered to your liking. By 
specifying an e-mail address different from the yahoo.com domain names you can 
view the template responsible for generating this link and sending the e-mails. 
Once the link is tweaked all you need to do is plug it into your browser's 
address bar and sign into the Yahoo! account that you want the target to be 
added as a friend on. Once signed in the operation is completed.. no 
user-interaction required. If you're already signed into yahoo.com then s
 imply tweaking the link and surfing to it will complete the operation for you.

Yahoo! is tricked into thinking that a person received an e-mailed invitation 
permitting them to add the sender as a friend, and as the result no add buddy 
request confirmation is ever sent to the id being added (the supposed "sender" 
of this e-mail), exploiting a trust-based relationship. No e-mail needs to be 
sent (no invitation) to accomplish this since we already know the link and the 
e-mail would infact give us away (since then the receiver could add 'US' 
without our knowledge and make them aware of the invitation in the first place 
- raising suspicion of the whole intent of the actual invitation).

Link examples:

Skip Add Buddy "Accept" step and add immediately with no steps after signing in:

http://friends.msg.yahoo.com/invite?id=ID_TO_ADD&intl=us&op=add&dl=1


Go through with Add Buddy "Accept" step and add after confirmation of the 
operation:

http://friends.msg.yahoo.com/invite?op=accept&id=ID_TO_ADD&intl=us

Where "ID_TO_ADD" would be the id of the person you're wanting to add to your 
Yahoo! account that you'd be signing into from these links.

Impact:

With this Yahoo! server 'flaw' you can monitor the online activity of the 
people you've added without permission. You can determine whether or not 
they're "Available" and read their custom status messages that could contain 
private information such as private links and text (phone numbers, away 
messages etc).