Warn users of Yahoo Instant Messenger security risk

BitDefender researchers discovered a Yahoo! Messenger flaw that could be exploited to send users to malicious spam links. Make sure your users are aware of the threat.

Researchers from BitDefender are warning Yahoo Messenger users of an unpatched vulnerability that lets attackers alter user's status messages and possibly perform other unauthorized actions that could be exploited by directing users to malicious spam links, according to Computerworld. The flaw, which is found in the application's file transfer API, allows attackers to write a script in less than 50 lines of code to send malformed requests resulting in the execution of commands without any involvement from victims.

In a blog post, Bogdan Botezatu, a researcher at security firm BitDefender, says, "If you can receive messages from contacts outside of your [Yahoo Instant Messenger] list, you are 100% vulnerable." The potential for this exploit affects Yahoo Messenger version 11x, including the newly released (Also note, that according to the Yahoo! Messenger blog, they ended support for previous Yahoo! Web Messenger as of November 1, 2011 and urged users to download the new desktop client 11.x or use IM through Yahoo! Mail.)

BitDefender says Yahoo is aware of the vulnerability, but has yet to respond. The company has offered Yahoo proof-of-concept code to help close the exploit, reports


I do use Yahoo for e-mail (no limit on storage) and belong to a few Yahoo groups. However, I have seen spam sent in my name and others I know who use Yahoo e-mail. I have also belonged to groups that have had their membership list hacked and used for spam purposes. I had one situation where I reported to Yahoo that someone had hacked the address list and sent them e-mails (which originated from outside the US). The tech support reply was I should do a "better job" of securing my system and not let others use my passwords, use my PC and another of other "blame the user" excuses. When I replied back that No one else uses my PC and no one else is ever in the room where my PC is located (no young children nor grandchildren living here and the wife does not go anywhere near my PC and doesn't even program the VCR) and forwarded the reply in one of the spam e-mails, I never heard back. I have also had other issues with Yahoo support. Their initial take is you are "ignorant" and haven't a clue nor read any of their "typically non-helpful Help" (except maybe for those who really are clueless) even when you point out where the potential problem may lay (and the steps you have taken to get past the problem). Somehow they never seem to read what was stated. More than once I have replied if they had read my problem description and steps taken to solve, they would not have replied with a "stock irrelevant answer". I do realize that they are providing a "free service" for most users and do appreciate it. I also realize that they are probably inundated with complaints and other problems and also understaffed, but a few extra seconds should be taken to read and understand the problem rather than spend even more time getting into a round of "unresolved e-mails".