New Yahoo Messenger zero-day exploit allows hijacks, malware

Users of Yahoo!'s Messenger software were warned over the weekend against a new zero-day exploit that can be used to hijack a user's status update and to spread malware.

 

The exploit in version 11 of the Messenger software lets a remote attacker arbitrarily change the status message, a computer security firm reported.

 

"The status message change occurs when an attacker simulates sending a file to a user. This action manipulates the $InlineAction parameter (responsible for the way the Messenger form displays the accept or deny the transfer) in order to load an iFrame which, when loaded, swaps the status message for the attacker's custom text. This status may also include a dubious link," BitDefender's MalwareCity.com site said.

 

"One scenario: the victim's status message is swapped with an attention-getting text that points to a page hosting a zero-day exploit targeting the IE browser, the locally installed Java or Flash environments or even a PDF bug, to mention only a few. Whenever a contact clicks on the victim’s status message, chances are they get infected without even knowing it. All this time, the victim is unaware that their status message has been hijacked," it added.

 

It said the iFrame is sent as a regular message and comes from another Yahoo Instant Messenger user, even if the user is not in the victim’s contact list.

 

When the Yahoo Messenger client receives the data from an attacker exploiting the vulnerability, it tries to display it but actually executes the payload.

 

MalwareCity.com warned that with the status messages hijacked, there is now a chance the victim's friends may click on it.

 

"Status messages are highly efficient in terms of click-through rate, as they address a small group of friends. Chances are that, once displayed, they will be clicked by most contacts who see them," it said.

 

Cybercriminals

 

MalwareCity.com said the vulnerability may see lucrative opportunities by directing victims to sites that pay affiliates for visits or purchases through a custom link.

 

"Someone can easily set up an affiliate account, generate custom links for products in campaign, then massively target vulnerable YIM victims to change their status with the affiliate link. Then, they just wait for the contact-generated traffic to kick in. There are actually a couple of services that pay YIM users to change their status with custom links as part of their business," it said.

 

It said users can protect themselves for now if they have Yahoo Messenger set to “ignore anyone who is not in your Yahoo! Contacts.“ — TJD, GMA News