SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Join our Affiliate Program
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Instant Messaging/IRC/Chat)  >  Yahoo Messenger Vendors:  Yahoo
Yahoo! Messenger Weak Encoding Algorithm Discloses Archived Messages to Local Users
SecurityTracker Alert ID:  1007587
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 27 2003
Impact:  Disclosure of user information
Vendor Confirmed:  Yes  
Version(s): Tested on 5,6,0,1344
Description:  Thai Duong reported a vulnerability in Yahoo! Messenger. A local user can obtain the message archive and the buddy list due to the use of a weak encoding algorithm.

It is reported that the "Archive" feature, when enabled, uses a simple XOR algorithm to store all instant messaging communications on the local system. The messages are reportedly XOR'd with the target user's Yahoo! Messenger ID (YID) and stored in a 'dat' file:

\path\to\Yahoo Messenger\Profiles\{Your YID}\Archive\Messages\{Your friend's YID}\*.dat

According to the report, a local user can enable the Archive feature by modifying some Windows registry keys:

-HKEY_CURRENT_USER/SOFTWARE/Yahoo/Pager/Profiles/{Your YID}/Archiving/Enabled: 1

-HKEY_CURRENT_USER/SOFTWARE/Yahoo/Pager/Profiles/{Your YID}/Archiving/DeletedAfter: 999

The vendor was reportedly notified August 12, 2003.
Impact:  A local user can enable archiving for another local user and can obtain the target user's archived messages.

[Editor's note: This may be of more concern on shared computers, such as public hosts.]
Solution:  No solution was available at the time of this entry.

The vendor reportedly responded on August 23, 2003 with the following text:

"Yahoo!'s encoding of archive files is not intended for nor marketed as encryption but is just a part of the application storage mechanism. Hence, after careful consideration we have determined that this scenario doesn't speak to a threat specific to Yahoo! Messenger."
Vendor URL:  www.yahoo.com/ (Links to External Site)
Cause:  Access control error
Underlying OS:  Windows (Any)
Reported By:  Duong Ngoc Thai <thaidn@yahoo.com>
Message History:   None.

 Source Message Contents
Date:  Wed, 27 Aug 2003 09:20:28 -0700 (PDT)
From:  Duong Ngoc Thai <thaidn@yahoo.com>
Subject:  weak encryption algorithm in Yahoo! Instant Message allow reading

 


Name: weak encryption algorithm in Yahoo! Instant Message allow reading
message archive and getting buddy list.
Severity: medium.
Version: Yahoo! Instant Messenger (5,6,0,1344) (latest build at time )
Platforms : Win98, Win2K, XP Pro, Win 2003 (and likely all Windows
versions)
Vendor: Yahoo! Corp.
Author: Thai Duong (thaidn@yahoo.com <mailto:thaidn@yahoo.com>)
Date: 11/08/2003.

Description:
Yahoo! Instant Messenger (YIM) is a widely used program for
communicating with other users over the Internet. YIM has a feature
named Archive used to store all instant messaging communications
including offline messages, alerts messages, conference messages. An
attacker with access to victim's computer can easily read these messages.
Details:

All of communication messages are XORed with owner's Yahoo! Messenger ID
(YID) and stored in X:\path\to\Yahoo Messenger\Profiles\{Your's
YID}\Archive\Messages\{Your friends' YID}\*.dat. As you know, XOR is
very easy to crack.
Message archiving is turned off by default and none except you can
enable your archive. But when you use YIM in public computers, it's
trivial for attackers to enable this feature just by adding or modifying
some registry keys as below:
  -HKEY_CURRENT_USER/SOFTWARE/Yahoo/Pager/Profiles/{YOur
YID}/Archiving/Enabled: 1 -->start your message archiving, hence
attackers also get a list of recenty active buddies.
-HKEY_CURRENT_USER/SOFTWARE/Yahoo/Pager/Profiles/{YOUR
YID}/Archiving/DeletedAfter: 999 --> reading your message archiving in
999 days :-).
Next, as easily as enabling archiving feature, attackers can get your
XORed files. After that, they can decrypt them by XORing with your YID.
In fact, people often talk about sensitive informations such as credit
card information, username and password... through YIM so the potential
impact of this vulnerability poses a highly significant threat to users
who do not soon upgrade their Yahoo! Messenger clients.
Vendor Status:
Yahoo! was informed of this vulnerability on 12/08/2003. And they
responsed on 23/08/2003 as below:
  "Yahoo!'s encoding of archive files is not intended for nor marketed as
encryption but is
   just a part of the application storage mechanism.  Hence, after
careful consideration
   we have determined that this scenario doesn't speak to a threat
specific to Yahoo! Messenger"
So what kind of privacy does Yahoo provide to its users ? Just a guest
account is enough for the world to see what you are chatting with your
girl friend !

------------------------------------------------------------------------
Do you Yahoo!?
Yahoo! SiteBuilder
<http://us.rd.yahoo.com/evt=10469/*http://sitebuilder.yahoo.com> - Free,
easy-to-use web site design software


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2002, SecurityGlobal.net LLC