Yahoo Messenger: Invisible User Detect

["cringe" <cringe () 2600dfw com>]

Yahoo! has been informed of this information, but has not yet responded.

Yahoo Messenger: Invisible User Detect

Vulnerable Versions:

Yahoo Messenger/MyYahoo Module

5,0,0,1046/3,0,0,423

5,0,0,1232/5,5,0,449

Note: These are the only versions tested, probably works on all versions.

Information:

Yahoo messenger is an Instant Messenging software that allows you to send
messeges to anyone in the world who has this software installed. This IM
also comes with a feature that allows you to mark your self "Invisible" so
you can see if others are online, but no one else can see that you are
online. Yahoo IM also allows the client use to share files on thier local
computer for others to view. When a user tries to view your available list
of shared files, yahoo messenger asks you if you would like to give this
user access.

Exploit:

When you try to access another user's shared files, you will get a pop-up
with a message that either reads "Asking for permissions" or "user offline".
Even if the user is marked Invisible, you will still recieve a message
confirming that the user is online and is being asked to allow you
permissions. So even when your friends look like they are offline, right
click on thier name and select "View Shared Files" to find out for sure!

- cringe