Yahoo! has been informed of this information, but has not yet responded. Yahoo Messenger: Invisible User Detect Vulnerable Versions: Yahoo Messenger/MyYahoo Module 5,0,0,1046/3,0,0,423 5,0,0,1232/5,5,0,449 Note: These are the only versions tested, probably works on all versions. Information: Yahoo messenger is an Instant Messenging software that allows you to send messeges to anyone in the world who has this software installed. This IM also comes with a feature that allows you to mark your self "Invisible" so you can see if others are online, but no one else can see that you are online. Yahoo IM also allows the client use to share files on thier local computer for others to view. When a user tries to view your available list of shared files, yahoo messenger asks you if you would like to give this user access. Exploit: When you try to access another user's shared files, you will get a pop-up with a message that either reads "Asking for permissions" or "user offline". Even if the user is marked Invisible, you will still recieve a message confirming that the user is online and is being asked to allow you permissions. So even when your friends look like they are offline, right click on thier name and select "View Shared Files" to find out for sure! - cringe
This archive was generated by hypermail 2b30 : Thu Nov 07 2002 - 17:55:46 PST