Yahoo! Messenger “Online Status” Privacy Issue

[Chet]

I've seen quite a few questions similar to "how does someone know I'm online even if put them on my Messenger ignore list?" being posted to several Yahoo related forums. The following privacy bulletin contains information about a flaw found in Yahoo! Messenger and the Yahoo! servers that allow this to happen if you have placed the user on your ignore list.

The information concerning the flaw has already been forwarded to Yahoo! Inc. and is expected to be fixed fairly soon.



Title: Yahoo! Messenger “Online Status” Privacy Issue
Author: Chet Simpson
Date: July 8th, 2004
Application affected: Yahoo! Messenger 5.5 (all builds)
Application affected: Yahoo! Messenger 5.6 (all builds)
Application affected: Yahoo! Messenger 6.0 (all builds)
Example included: Yes


Summary:
--------

A flaw exists in the Yahoo! Messenger client application and servers that can allow a user to add someone to their buddy list and view the targets online status if the target has ignored them.


Details:
--------

Yahoo! Messenger includes features that allow a user to ignore other people. When a user has been added to the ignore list all communications from that user are still transmitted by the Yahoo servers and are instead blocked by Messenger. Because Messenger ignores all communications from users who have been ignored anytime a blocked user attempts to add the other person as a “buddy” the operation automatically completes successfully.

Although the current architecture of the Yahoo! servers allows this operation to be completed successfully it normally does not allow the blocked user to view the online status of the person who ignored them. There are however two flaws in the Yahoo server architecture which allow a blocked user to bypass this restriction and view whether the user is online or not.

The first flaw occurs when the blocked user is removed from the ignore list. Because the original “add buddy” request was filtered by Messenger no rejection or denial operation occurred. Once the user has been removed from the ignore list the restriction prohibiting them from viewing the other persons online status is automatically removed. Although the restriction is removed the user who was added as a buddy does not receive a notification of the “add buddy” request.

The second flaw takes a little more effort but allows a blocked user to add the person who ignored them and immediately view the targets online status. This technique requires that the “attacker” create a profile ID(1) and coax their target into placing that name onto the ignore list. Once a profile ID has been added to the list of ignored users the attacker simply deletes the profile ID and the restriction to view the targets online status is automatically lifted.


Detailed Steps:
---------------

The following describes the necessary steps to add a user as a buddy and view their online status without their consent.

1. Log into http://edit.yahoo.com/config/eval_profile using an existing Yahoo ID (or create one).
2. Create a Profile ID.
3. Log into Yahoo! Messenger.
4. Contact the intended target using the profile ID and coax them into placing that name onto their list of ignored users.
5. Add the user as a buddy.
6. Delete the profile ID.
7. Log out of Yahoo! Messenger.
8. Log back into Yahoo! Messenger.

If the user is online and has not logged in using the “invisible” mode their online status will be displayed in your buddy list.


Third Party Clients:
--------------------

Third party clients that use the Ignore List feature provided through the Yahoo! Messenger protocol and/or implement their own Ignore List feature may also be at risk if they do not implement the proper handling of Add Buddy requests received from ignored users.


Work Around:
------------

The only method to avoid this flaw is to refrain from using the Ignore User list feature in Yahoo! Messenger. Until this flaw is fixed by Yahoo! Inc. users who are worried that this flaw might be used against them should change their Yahoo! Messenger Ignore List preferences to block all communications from people who are not on their buddy list. This setting allows the buddy add requests to be passed on to Yahoo! Messenger but (should) block all other communication from users who are not on your buddy list.


(1) A profile ID or alias is simply an additional username that can be used at the same time as your normal Yahoo! ID. For more information on profile ID’s see http://help.yahoo.com/help/us/pager/use/use-13.html

[tangledlisa]

Thanks for the info Chet

[Wildatheart]

Well correct me if I'm wrong but isn't this where deny a buddy comes in after you place them on ignore you can then use deny a buddy to take yourself off that persons list.

And then they couldn't readd you a second time.. Or am I wrong ?

[Justified]

There are two things you need to add to this , 1. Person A deletes their profile and Person B then decides to use deny a buddy It won't work because the PROFILE doesn't exist.

If Person A then decides to recreate the profile Person B who already has that id on ignore Can't delete themselves off of Person A's profile .

Now if you try to message the person that has you on ignore your messenger will say Session Expired please re-login and it will log you out . ( or at least MINE DOES ) if you try this and find out yours doesn't log you out could you let me know or if deny a buddy works for you on this ?

[Carriemeawayplz]

Yahoo still hasn't fixed this security issue. It is still possible for someone to message you , you put them on ignore and then if they add you to their messenger. It accepts it without you being the wiser. They are able to see what you are doing, where you are, and your status.

Since this is the case , I am having a hard time trying to understand the whole point of ignore if it doesn't even work!

[EliteNick]

Yahoo! needs to change it's intire approach to customer service and fixing problems. Any time you have a problem, they always just send back auto-responder e-mails. Big problems that everyone experiences, takes sometimes years for Yahoo! to become aware of and fix. That's the only thing I don't like about Yahoo!, Inc.

[Dobrin]

Is this still possible to bypass the ignore ?

[Dermot]

no, not in chat, its serverside and yahoo only allow 99 people on it per id.

Voice ignore is a different matter tho..

[ismart]

Thank you very much. it’s useful for me

[dvelez1985]

Chet... Simpson?

Ah yes the creator of YTunnel.