I've seen quite a few questions similar to "how does someone know I'm online even if put them on my Messenger ignore list?" being posted to several Yahoo related forums. The following privacy bulletin contains information about a flaw found in Yahoo! Messenger and the Yahoo! servers that allow this to happen if you have placed the user on your ignore list.
The information concerning the flaw has already been forwarded to Yahoo! Inc. and is expected to be fixed fairly soon.
Title: Yahoo! Messenger “Online Status” Privacy Issue
Author: Chet Simpson
Date: July 8th, 2004
Application affected: Yahoo! Messenger 5.5 (all builds)
Application affected: Yahoo! Messenger 5.6 (all builds)
Application affected: Yahoo! Messenger 6.0 (all builds)
Example included: Yes
Summary:
--------
A flaw exists in the Yahoo! Messenger client application and servers that can allow a user to add someone to their buddy list and view the targets online status if the target has ignored them.
Details:
--------
Yahoo! Messenger includes features that allow a user to ignore other people. When a user has been added to the ignore list all communications from that user are still transmitted by the Yahoo servers and are instead blocked by Messenger. Because Messenger ignores all communications from users who have been ignored anytime a blocked user attempts to add the other person as a “buddy” the operation automatically completes successfully.
Although the current architecture of the Yahoo! servers allows this operation to be completed successfully it normally does not allow the blocked user to view the online status of the person who ignored them. There are however two flaws in the Yahoo server architecture which allow a blocked user to bypass this restriction and view whether the user is online or not.
The first flaw occurs when the blocked user is removed from the ignore list. Because the original “add buddy” request was filtered by Messenger no rejection or denial operation occurred. Once the user has been removed from the ignore list the restriction prohibiting them from viewing the other persons online status is automatically removed. Although the restriction is removed the user who was added as a buddy does not receive a notification of the “add buddy” request.
The second flaw takes a little more effort but allows a blocked user to add the person who ignored them and immediately view the targets online status. This technique requires that the “attacker” create a profile ID(1) and coax their target into placing that name onto the ignore list. Once a profile ID has been added to the list of ignored users the attacker simply deletes the profile ID and the restriction to view the targets online status is automatically lifted.
Detailed Steps:
---------------
The following describes the necessary steps to add a user as a buddy and view their online status without their consent.
1. Log into
http://edit.yahoo.com/config/eval_profile using an existing Yahoo ID (or create one).
2. Create a Profile ID.
3. Log into Yahoo! Messenger.
4. Contact the intended target using the profile ID and coax them into placing that name onto their list of ignored users.
5. Add the user as a buddy.
6. Delete the profile ID.
7. Log out of Yahoo! Messenger.
8. Log back into Yahoo! Messenger.
If the user is online and has not logged in using the “invisible” mode their online status will be displayed in your buddy list.
Third Party Clients:
--------------------
Third party clients that use the Ignore List feature provided through the Yahoo! Messenger protocol and/or implement their own Ignore List feature may also be at risk if they do not implement the proper handling of Add Buddy requests received from ignored users.
Work Around:
------------
The only method to avoid this flaw is to refrain from using the Ignore User list feature in Yahoo! Messenger. Until this flaw is fixed by Yahoo! Inc. users who are worried that this flaw might be used against them should change their Yahoo! Messenger Ignore List preferences to block all communications from people who are not on their buddy list. This setting allows the buddy add requests to be passed on to Yahoo! Messenger but (should) block all other communication from users who are not on your buddy list.
(1) A profile ID or alias is simply an additional username that can be used at the same time as your normal Yahoo! ID. For more information on profile ID’s see
http://help.yahoo.com/help/us/pager/use/use-13.html