Security researchers have discovered an unpatched flaw in Yahoo! Messenger that allows miscreants to change any user's status message. Hijacked status updates are a handy way to persuade a victim's contacts to click on a link and lead them to a dangerous website. Worse still, the bug in version 11.x of the Messenger client …

COMMENTS

House rules Send corrections

This topic is closed for new posts.

Friday 2nd December 2011 18:04 GMT Gordon 10

Messenger

Is a weeping sore.

My wife's and dozens of other mail accounts got compromised through a messenger flaw that seems to bypass the normal password challenge. It seems you cannot turn the messenger to mail linkage off at all.

0 0
Friday 2nd December 2011 18:04 GMT Mr Young

Keep! up! the! good! work!

Yahoo!

2 0
Friday 2nd December 2011 23:55 GMT Anonymous Coward

Point of Clarification

When i read this article my first thought was:

"Duh, don't accept file transfers from people you don't know"

When you actually read the MalwareCity blog that the article points to it clarifies that the exploit is actually injected into and run from the file transfer accept/deny dialog, so once you've got the request you're already 'sploited.

The el reg article says they're trying to send a file that's actually an iframe, but actually that iframe is already automatically sent and run.

The Bottomline action of denying off-list messages is still the same, but i think it's an important point of clarification.

1 0
Saturday 3rd December 2011 00:04 GMT darren.b

Miranda IM

I've never installed any of the official messengers since 2004. Dabbled with Miranda IM back then and haven't looked back.

1 0
Saturday 3rd December 2011 02:19 GMT Framitz

Anyone ?

Anyone use that crap?

0 0
Saturday 3rd December 2011 22:01 GMT Anonymous Coward

face

This particular issue allows an iframe to be injected into an instant message. The iframe is then executing JS that is accessible in the IM (which looks something like a pastebin by the name of edKmYV3h). If you look very closely this issue with the JS (and by extension of messenger's functionality, outside-of-IM controls) becomes much more concerning. Currently, although unmentioned, this allows someone to execute scripts on a victim to send unsolicted instant messages and other packets from the victim, close the client, possibly set or read messenger preferences.

All said and done, Messenger is a prime candidate for a botnet until this is patched.

0 0
Monday 5th December 2011 23:45 GMT Anonymous Coward

yahoo knew ages ago but did nothing

I had a friend whos computer yahoo account was compromised 6000 spam messages a week hed get. After phoning yahoo they said they couldn`t fix it but attempted to block the sender who had numbers after the name from 1-100 even though i blocked them it new names just kept coming up from 1-100.

In the end i created a new account for him.

When i was first alerted he had 27000 e-mails.

0 0
Wednesday 7th December 2011 13:43 GMT vilemeister

Oh Dear,

Seriously El Reg, When is this joke going to get old?

0 2