DESCRIPTION:
I’ve found a cross-site scripting vulnerability in Yahoo! Messenger, a popular advertisement-supported
instant messaging client and protocol provided by Yahoo! Attacker can inject a malicious script with
local privilege to Y!M notification message.
The vulnerability is discovered in the chat dialog. The automatic notification message of Yahoo!
Messenger, for instance “Hai Nam Luke has signed out. (1/26/2007 10:03 PM)” or “Hai Nam Luke has
signed back in. (1/26/2007 10:04 PM)” can be easily exploited with injecting a malicious script to.
Script is disabled in chat messages but system notification messasage. That Yahoo Messenger uses
Internet Explorer to display messages, the malicious script will be run with local privilege in the
Internet Explorer Temporary Folder. This serious vulnerability could allow attacker gain the victim’s
system access.
Inject unexpected script also causes other Yahoo! Messenger’s errors.
AFFECTED VERSION:
Yahoo! Messenger 8.1.0.29 and previous versions
PROOF OF CONCEPT:
This vulnerability was reported to Yahoo!
Hai Nam Luke <[email protected]>
K46A - NEU