Possible security exploit on Yahoo! Messenger : permits disclosure of any logged party's authentication and profile information

["CheetaChat Security Group" <security () cheetachat com>]

(Information provided by third party, not verified for accuracy. Please 
contact submitter (in message body) for details.)

Path of replication:

Standalone winsock client, based off logged packet handshake between Y!
Messenger and Yahoo messenger server. After successful authentication 
handshake, profile and authentication information for other logged parties 
can be obtained by simply attempting authentication, the password hash 
exchange that follows is not validated for authenticity.

Information provided by:

Name: Jason Cook (mystikal)
E-Mail: mystikal () cableone net

Impact: Allows any person to gain access to any logged user's security 
authentication and profile, and access to Yahoo! systems that utilize that 
authentication information.

More specifically, it gives the exploiter access to people's profiles, 
information about person contact information, editing information, and 
possibly access to private files and mail.

This appears to be actively exploited in the wild at the moment. Persons 
have logged in with admin aliases who are clearly not such persons, and 
abusing administrative commands.

Exploit code is available from:

Name: Jason Cook (mystikal)
E-Mail: mystikal () cableone net