back to article Yahoo! 0-day! exploit! hijacks! status! updates!

Security researchers have discovered an unpatched flaw in Yahoo! Messenger that allows miscreants to change any user's status message. Hijacked status updates are a handy way to persuade a victim's contacts to click on a link and lead them to a dangerous website. Worse still, the bug in version 11.x of the Messenger client …


This topic is closed for new posts.
  1. Gordon 10 Silver badge


    Is a weeping sore.

    My wife's and dozens of other mail accounts got compromised through a messenger flaw that seems to bypass the normal password challenge. It seems you cannot turn the messenger to mail linkage off at all.

  2. Mr Young
    Thumb Up

    Keep! up! the! good! work!


  3. Anonymous Coward
    Anonymous Coward

    Point of Clarification

    When i read this article my first thought was:

    "Duh, don't accept file transfers from people you don't know"

    When you actually read the MalwareCity blog that the article points to it clarifies that the exploit is actually injected into and run from the file transfer accept/deny dialog, so once you've got the request you're already 'sploited.

    The el reg article says they're trying to send a file that's actually an iframe, but actually that iframe is already automatically sent and run.

    The Bottomline action of denying off-list messages is still the same, but i think it's an important point of clarification.

  4. darren.b
    Thumb Up

    Miranda IM

    I've never installed any of the official messengers since 2004. Dabbled with Miranda IM back then and haven't looked back.

  5. Framitz

    Anyone ?

    Anyone use that crap?

  6. Anonymous Coward
    Anonymous Coward


    This particular issue allows an iframe to be injected into an instant message. The iframe is then executing JS that is accessible in the IM (which looks something like a pastebin by the name of edKmYV3h). If you look very closely this issue with the JS (and by extension of messenger's functionality, outside-of-IM controls) becomes much more concerning. Currently, although unmentioned, this allows someone to execute scripts on a victim to send unsolicted instant messages and other packets from the victim, close the client, possibly set or read messenger preferences.

    All said and done, Messenger is a prime candidate for a botnet until this is patched.

  7. Anonymous Coward

    yahoo knew ages ago but did nothing

    I had a friend whos computer yahoo account was compromised 6000 spam messages a week hed get. After phoning yahoo they said they couldn`t fix it but attempted to block the sender who had numbers after the name from 1-100 even though i blocked them it new names just kept coming up from 1-100.

    In the end i created a new account for him.

    When i was first alerted he had 27000 e-mails.

  8. vilemeister

    Oh Dear,

    Seriously El Reg, When is this joke going to get old?

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2021