Yahoo Messenger exploit spams your friendsYahoo Messenger flaw is unpatched.

The zero-day flaw allows remote attackers to mess with users’ status messages. It affects Yahoo Messenger right up to the recently-released version.

Bitdefender security researchers warned that this type of attack is dangerous due to basic trust principles. Your friends and family see your status update, and if it contains an innocent looking link, they would be a lot more likely to click-through than if they just received unsolicited spam.

The flaw is exploited when the rogue attacker simulates sending a file to a targeted user. The bogus file transfer tricks Messenger into loading an iFrame which then changes the status message to whatever the attacker wants it to be.

The iFrame comes over as a regular message from another Yahoo Instant Messenger user, even if the user isn’t in the victim’s contact list.

You should change your Yahoo Messenger settings to ignore people not on your contact list if you are worried about being targeted, but that won’t stop your friends status messages from being changed, so stay vigilant.

Permalink | Comments