+ Reply to Thread
Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Topic: Yahoo! Messenger “Online Status” Privacy Issue

  1. #1
    Chet is offline Junior Member
    Join Date
    Jun 2004
    Location
    .
    Posts
    8

    Yahoo! Messenger “Online Status” Privacy Issue

    I've seen quite a few questions similar to "how does someone know I'm online even if put them on my Messenger ignore list?" being posted to several Yahoo related forums. The following privacy bulletin contains information about a flaw found in Yahoo! Messenger and the Yahoo! servers that allow this to happen if you have placed the user on your ignore list.

    The information concerning the flaw has already been forwarded to Yahoo! Inc. and is expected to be fixed fairly soon.



    Title: Yahoo! Messenger “Online Status” Privacy Issue
    Author: Chet Simpson
    Date: July 8th, 2004
    Application affected: Yahoo! Messenger 5.5 (all builds)
    Application affected: Yahoo! Messenger 5.6 (all builds)
    Application affected: Yahoo! Messenger 6.0 (all builds)
    Example included: Yes


    Summary:
    --------

    A flaw exists in the Yahoo! Messenger client application and servers that can allow a user to add someone to their buddy list and view the targets online status if the target has ignored them.


    Details:
    --------

    Yahoo! Messenger includes features that allow a user to ignore other people. When a user has been added to the ignore list all communications from that user are still transmitted by the Yahoo servers and are instead blocked by Messenger. Because Messenger ignores all communications from users who have been ignored anytime a blocked user attempts to add the other person as a “buddy” the operation automatically completes successfully.

    Although the current architecture of the Yahoo! servers allows this operation to be completed successfully it normally does not allow the blocked user to view the online status of the person who ignored them. There are however two flaws in the Yahoo server architecture which allow a blocked user to bypass this restriction and view whether the user is online or not.

    The first flaw occurs when the blocked user is removed from the ignore list. Because the original “add buddy” request was filtered by Messenger no rejection or denial operation occurred. Once the user has been removed from the ignore list the restriction prohibiting them from viewing the other persons online status is automatically removed. Although the restriction is removed the user who was added as a buddy does not receive a notification of the “add buddy” request.

    The second flaw takes a little more effort but allows a blocked user to add the person who ignored them and immediately view the targets online status. This technique requires that the “attacker” create a profile ID(1) and coax their target into placing that name onto the ignore list. Once a profile ID has been added to the list of ignored users the attacker simply deletes the profile ID and the restriction to view the targets online status is automatically lifted.


    Detailed Steps:
    ---------------

    The following describes the necessary steps to add a user as a buddy and view their online status without their consent.

    1. Log into http://edit.yahoo.com/config/eval_profile using an existing Yahoo ID (or create one).
    2. Create a Profile ID.
    3. Log into Yahoo! Messenger.
    4. Contact the intended target using the profile ID and coax them into placing that name onto their list of ignored users.
    5. Add the user as a buddy.
    6. Delete the profile ID.
    7. Log out of Yahoo! Messenger.
    8. Log back into Yahoo! Messenger.

    If the user is online and has not logged in using the “invisible” mode their online status will be displayed in your buddy list.


    Third Party Clients:
    --------------------

    Third party clients that use the Ignore List feature provided through the Yahoo! Messenger protocol and/or implement their own Ignore List feature may also be at risk if they do not implement the proper handling of Add Buddy requests received from ignored users.


    Work Around:
    ------------

    The only method to avoid this flaw is to refrain from using the Ignore User list feature in Yahoo! Messenger. Until this flaw is fixed by Yahoo! Inc. users who are worried that this flaw might be used against them should change their Yahoo! Messenger Ignore List preferences to block all communications from people who are not on their buddy list. This setting allows the buddy add requests to be passed on to Yahoo! Messenger but (should) block all other communication from users who are not on your buddy list.


    (1) A profile ID or alias is simply an additional username that can be used at the same time as your normal Yahoo! ID. For more information on profile ID’s see http://help.yahoo.com/help/us/pager/use/use-13.html


  2. #2
    tangledlisa's Avatar
    tangledlisa is offline Senior Member
    Join Date
    Jan 2003
    Location
    Columbus, Ohio, USA.
    Posts
    272
    Thanks for the info Chet

  3. #3
    Wildatheart Guest
    Well correct me if I'm wrong but isn't this where deny a buddy comes in after you place them on ignore you can then use deny a buddy to take yourself off that persons list.

    And then they couldn't readd you a second time.. Or am I wrong ?

  4. #4
    Justified Guest
    There are two things you need to add to this , 1. Person A deletes their profile and Person B then decides to use deny a buddy It won't work because the PROFILE doesn't exist.

    If Person A then decides to recreate the profile Person B who already has that id on ignore Can't delete themselves off of Person A's profile .

    Now if you try to message the person that has you on ignore your messenger will say Session Expired please re-login and it will log you out . ( or at least MINE DOES ) if you try this and find out yours doesn't log you out could you let me know or if deny a buddy works for you on this ?

  5. #5
    Join Date
    Mar 2003
    Location
    USA.
    Posts
    69
    Yahoo still hasn't fixed this security issue. It is still possible for someone to message you , you put them on ignore and then if they add you to their messenger. It accepts it without you being the wiser. They are able to see what you are doing, where you are, and your status.

    Since this is the case , I am having a hard time trying to understand the whole point of ignore if it doesn't even work!

  6. #6
    EliteNick's Avatar
    EliteNick is offline Senior Member
    Join Date
    Jul 2004
    Posts
    343
    Yahoo! needs to change it's intire approach to customer service and fixing problems. Any time you have a problem, they always just send back auto-responder e-mails. Big problems that everyone experiences, takes sometimes years for Yahoo! to become aware of and fix. That's the only thing I don't like about Yahoo!, Inc.

    Art is my life

  7. #7
    Dobrin is offline Junior Member
    Join Date
    May 2005
    Location
    Varna , Bulgaria
    Posts
    22
    Is this still possible to bypass the ignore ?

  8. #8
    Dermot's Avatar
    Dermot is offline Here to help!
    Join Date
    Dec 2004
    Location
    Louth, Ireland.
    Posts
    1,426
    no, not in chat, its serverside and yahoo only allow 99 people on it per id.

    Voice ignore is a different matter tho..
    Irish Gaming - 1000+ Games and climbing!

  9. #9
    ismart is offline Junior Member
    Join Date
    Jul 2006
    Posts
    10
    Thank you very much. it’s useful for me

  10. #10
    dvelez1985's Avatar
    dvelez1985 is offline Senior Member
    Join Date
    Sep 2005
    Location
    Helotes, Texas
    Posts
    231
    Chet... Simpson?

    Ah yes the creator of YTunnel.

+ Reply to Thread
Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Topics

  1. Messenger Plus! 3 BETA Review!
    By DXtremz in forum Windows Live Messenger Support
    Replies: 44
    Last Post: 09-14-2005, 01:32 PM
  2. Yahoo Messenger 6.0 Menu ( s ) Updated
    By vb_packets in forum Yahoo! Messenger Support
    Replies: 87
    Last Post: 09-05-2004, 02:22 PM
  3. Messenger Plus! 3 Feature List
    By BigBlueBall News in forum Windows Live Messenger News
    Replies: 0
    Last Post: 05-21-2004, 12:00 AM
  4. Replies: 0
    Last Post: 10-22-2001, 12:00 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts