Yahoo! Chat Add Buddy Without Consent Privacy Issue

[Torseq Tech. <bindshell () gmail com>]

Title: Yahoo! Chat Add Buddy Without Consent Privacy Issue
Discovered By: Torseq Tech. <bindshell () gmail com>
Date: Friday, May 13, 2005
Services affected: ALL of Yahoo! Chat
Vendor: Yahoo! Inc.
Proof-of-Concept included: Yes
Fix Available: No (needs fixed server-side)
Description: A vulnerability exists in Yahoo!'s Chat servers that allows for chatters to be added to your friends list 
completely without their knowledge or permission of the operation. As a result private status messages can be read and 
online Yahoo! Chat activity can be monitored stealthily.


Details:

A feature that can be found in Yahoo! Messenger ver. 5.x/6.0 under the Contacts tab, "Invite People to Yahoo! 
Messenger..." and under the "Add people" option contains a loophole that allows for a person to be added to another 
person's friends list completely without their knowledge or consent. This feature allows for an e-mail to be sent 
(through Yahoo!'s HTTP servers) inviting another person to download and use Yahoo! Messenger. In the e-mail (generated 
from the template) is a vulnerable link that can be altered to your liking. By specifying an e-mail address different 
from the yahoo.com domain names you can view the template responsible for generating this link and sending the e-mails. 
Once the link is tweaked all you need to do is plug it into your browser's address bar and sign into the Yahoo! account 
that you want the target to be added as a friend on. Once signed in the operation is completed.. no user-interaction 
required. If you're already signed into yahoo.com then s
 imply tweaking the link and surfing to it will complete the operation for you.

Yahoo! is tricked into thinking that a person received an e-mailed invitation permitting them to add the sender as a 
friend, and as the result no add buddy request confirmation is ever sent to the id being added (the supposed "sender" 
of this e-mail), exploiting a trust-based relationship. No e-mail needs to be sent (no invitation) to accomplish this 
since we already know the link and the e-mail would infact give us away (since then the receiver could add 'US' without 
our knowledge and make them aware of the invitation in the first place - raising suspicion of the whole intent of the 
actual invitation).

Link examples:

Skip Add Buddy "Accept" step and add immediately with no steps after signing in:

http://friends.msg.yahoo.com/invite?id=ID_TO_ADD&intl=us&op=add&dl=1


Go through with Add Buddy "Accept" step and add after confirmation of the operation:

http://friends.msg.yahoo.com/invite?op=accept&id=ID_TO_ADD&intl=us

Where "ID_TO_ADD" would be the id of the person you're wanting to add to your Yahoo! account that you'd be signing into 
from these links.

Impact:

With this Yahoo! server 'flaw' you can monitor the online activity of the people you've added without permission. You 
can determine whether or not they're "Available" and read their custom status messages that could contain private 
information such as private links and text (phone numbers, away messages etc).