0-Day Vulnerability in Yahoo Messenger, An Attacker Can Change The Status Update Remotely

Zero day exploit found in Yahoo messenger allowing attackers to change the status update remotely. Version 11.x of the Messenger client (including the freshly-released is infected with this 0day vulnerability. The status message change occurs when an attacker simulates sending a file to a user. This action manipulates the $InlineAction parameter (responsible for the way the Messenger form displays the accept or deny the transfer) in order to load an iFrame which, when loaded, swaps the status message for the attacker's custom text. This status may also include a dubious link. This iFrame is sent as a regular message and comes from another Yahoo Instant Messenger user, even if the user is not in the victim’s contact list. The exploit delivers its payload when the attacker simulates sending a file to the user. The bogus file tricks Messenger into loading an iFrame that then swaps the status message for whatever garbage the attacker wants to load, including a potentially "dubious" link, as Bitdefender describes it. The iFrame comes over as a regular message from another Yahoo Instant Messenger user, even if the user isn't in the victim's contact list.

  • Why it is so dangerous? 
Status messages are highly efficient in terms of click-through rate, as they address a small group of friends. Chances are that, once displayed, they will be clicked by most contacts who see them. One scenario: the victim's status message is swapped with an attention-getting text that points to a page hosting a zero-day exploit targeting the IE browser, the locally installed Java or Flash environments or even a PDF bug, to mention only a few. Whenever a contact clicks on the victim’s status message, chances are they get infected without even knowing it. All this time, the victim is unaware that their status message has been hijacked.
Another lucrative approach to changed status messages is affiliate marketing (ie: sites that pay affiliates for visits or purchases through a custom link). Someone can easily set up an affiliate account, generate custom links for products in campaign, then massively target vulnerable YIM victims to change their status with the affiliate link. Then, they just wait for the contact-generated traffic to kick in. There are actually a couple of services that pay YIM users to change their status with custom links as part of their business.

  • Who is Safe?
You are running a Bitdefender security solution (Bitdefender Antivirus Plus, Bitdefender Internet Security or Bitdefender Total Security). We detect this threat via the HTTP scanner and block it before it reaches the Messenger application.
You have Yahoo Messenger set to “ignore anyone who is not in your Yahoo! Contacts“(which is off by default).


Voice Of GREYHAT is a non-profit Organization propagating news specifically related with Cyber security threats, Hacking threads and issues from all over the spectrum. The news provided by us on this site is gathered from various Re-Sources. if any person have some FAQ's in their mind they can Contact Us. Also you can read our Privacy Policy for more info. Thank You ! -Team VOGH
If you enjoyed VOGH News, Articles Then Do Make sure you to Subscribe Our RSS feed. Stay Tuned with VOGH and get Updated about Cyber Security News, Hacking Threads and Lots More. All our Articles and Updates will directly be sent to Your Inbox. Thank You! -Team VOGH

Related Posts Plugin for WordPress, Blogger...