Skip the navigation
)
News

Yahoo Messenger flaw enables spamming through other people's status messages

The unpatched vulnerability in Yahoo Messenger allows attackers to change other people's status messages automatically

By Lucian Constantin
December 2, 2011 08:12 AM ET

IDG News Service - An unpatched Yahoo Messenger vulnerability that allows attackers to change people's status messages and possibly perform other unauthorized actions can be exploited to spam malicious links to a large number of users.

The vulnerability was discovered in the wild by security researchers from antivirus vendor BitDefender while investigating a customer's report about unusual Yahoo Messenger behavior.

The flaw appears to be located in the application's file transfer API (application programming interface) and allows attackers to send malformed requests that result in the execution of commands without any interaction from victims.

"An attacker can write a script in less than 50 lines of code to malform the message sent via the YIM protocol to the victim," said Bogdan Botezatu, an e-threats analysis & communication specialist at BitDefender.

"Status changing appears to be only one of the things the attacker can abuse. We're currently investigating what other things they may achieve," he added.

Victims are unlikely to realize that their status messages have changed and if they use version 11.5 of Yahoo Messenger, which supports tabbed conversations, they might not even spot the rogue requests, Botezatu said.

This vulnerability can be leveraged by attackers to earn money through affiliate marketing schemes by driving traffic to certain websites or to spam malicious links that point to drive-by download pages.

Drive-by download attacks exploit unpatched vulnerabilities in browser plug-ins like Java, Flash Player, or Adobe Reader, and are currently one of the primary methods of distributing malware.

Links included in status messages usually have a high click-through rate because they are addressed to the victim's friends. This means that URLs spammed in this way will be clicked by most of their contacts, the BitDefender researchers said.

According to the antivirus vendor, Yahoo was notified about the vulnerability through the appropriate channels. However, the company did not immediately respond to a request for comment sent by IDG.

Until this vulnerability is fixed, users can protect themselves by configuring Yahoo Messenger to ignore anyone who is not in their Messenger list. However, this option will not prevent attacks from their current contacts.

Reprinted with permission from IDG.net. Story copyright 2012 International Data Group. All rights reserved.
What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
Don't have an account yet?
Additional Resources
Security KnowledgeVault
WHITE PAPER
Security is not an option. This KnowledgeVault Series offers professional advice how to be proactive in the fight against cybercrimes and multi-layered security threats; how to adopt a holistic approach to protecting and managing data; and how to hire a qualified security assessor. Make security your Number 1 priority.

Read now.

Cut Communications Costs Once and for All
WHITE PAPER
New IP-based communications systems are being deployed by small and midsized businesses at a rapid rate. Learn how these organizations are enabling faster responsiveness, creating better customer experiences, speeding office or mobile interactions, and dramatically reducing existing communications costs.

Read now.

Malware and Vulnerabilities White Papers
Practice Management: Double Billing Rate and Improve Patient Services
Would you like to double your billing rate and achieve faster payment for services?

Download this customer success story to see how One Health...
Mission Critical Data Explosion and Customer Case Study
Would you like to double your tier 1 storage capacity while simultaneously reducing your storage footprint?

Download this customer success story to see how...
Protecting Against Database Attacks and Insider Threats: Top 5 Scenarios
Read this new eBook to learn the top five scenarios and essential best practices for preventing database attacks and insider threats.
Database Activity Monitoring Is Evolving
Read the analyst report and learn how you can leverage the core capabilities of a DAP solution for better database security.
Establishing a Strategy for Database Security is No Longer Optional
The options for securing increasingly valuable databases are very broad and deep, and can be confusing. This research provides an overview of three...
All Malware and Vulnerabilities White Papers
Malware and Vulnerabilities Webcasts
Distributed Database Security with Real-time Monitoring
View this demo and learn how IBM InfoSphere Guardium database activity monitoring can help protect your sensitive data in distributed DBMS environments with...
InfoSphere Warehouse Packs Demo
These flash modules make warehousing more tangible and relevant to business users through detailed explanations of the InfoSphere Warehouse Packs.
Delivery Management -- Extending Lifecycle Management
Date: Wednesday, June 20, 2012, 1:00 PM EDT

Siloed organizations continue doing the wrong things and doing things wrong, leading to increased costs,...
Leverage automation today to reduce IT complexity
Date: Tuesday, June 5, 2012, 2:00 PM EDT

Whether your B2B complexity is caused by multiple technologies due to M&A, business or application specific...
Redefine Expectations in the Data Center
Need to do more with less? Watch this video to learn how HP ProLiant Gen8 servers can help your business deploy servers three...
All Malware and Vulnerabilities Webcasts
Newsletter Sign-Up

Receive the latest news test, reviews and trends on your favorite technology topics

Choose a newsletter
  1. View all newsletters | Privacy Policy
IT Jobs