Exploits

Yahoo! Messenger Exploits

Yahoo! Messenger is a nice little protocol client who's security is a bit too beefed up which brings us to the first exploit, Account Locking.

Account locking has been around for a few years now  it's easily done through the web brwoser or a program called an Account Locker. This program is used to disable users from accessing yahoo messenger. It tries so many passwords in a row causing the account to launch a counter attack causing the account to lock so the user can no longer try to 'hack' into.  When your account is locked you will see the following message from yahoo.

Sometimes you'll receive this because you really did enter your password wrong or your ID is mispalled but if you have each the ID and Password correct then this would be a reason why you cannot sign in. Thanks to the new Yahoo 6.0 (BETA). It will auto-matically unlock your account buuuuuuuut if you have the old version that is currently running on the YMSG11 or lower protocol you will have to manually unlock the account.

UnLocking Accounts

To do this you must first signinto a edit server or msg server for a new cookie.to do this navigate your browser to http://edit.yahoo.com , http://mail.yahoo.com , or http://profiles.yahoo.com .Once you are here you must sign in with the account that is locked. Once signed in just exit out and sign into messeger. Also if you did not understand this you can read the help from Yahoo! website. http://help.yahoo.com 

On to our other exploits. This one is one of the biggest in yahoo history!! well atleast I feel it is. 'Hacking' through  a website.Well it's not really hacking it's more testing the limits lol.This exploit can also be used in a program LIKE THE ACCOUNT LOCKING except this one requires a bit more skills. It's called 'Anonymous Webcams' this is used to send a request to a user that currently has a webcam runing/broadcasting asking for permission to use their webcam but not displaying thei'r TRUE Yahoo! ID.

Anonymous Webcams

Now, on with the ways to EXPLOIT the system sort-to speek. The 'exploiter ' must have Yahoo! Messenger and a fine knowledge of HTML. The exploiter will run a DLL that Yahoo Messenger uses to receive the transmitted packets being sent to yahoo messenger for the webcam viewing. To do this he/she will use the code <object id=SOMENAME height=0 codetype=application/x-oleobject width=0 classid=clsid:CLASSID OF THE DLL HERE> and load it to the website. Once he has this done he/she will put a form on the website allowing everyone to view others people's private webcams. Once he/she does this the 'victim' will receive the following message.

So,., you see it's not 100% anonymous because the 'victim' must click "YES" in order for it to work but it's still pretty cool stuff you know what I mean. This exploit is easily stopped by putting your privacy setting on "Allow firends only to view my cam"

FILE FORGING

The exploit works by the user signing into a protocol client that uses the YMSG protocol. It then sends a packet to the user asking them to download a file. I can't really explain this one I just figured it out one day when I was packet sniffing the network. Please note that in some countries it is illegal to sniff networking packets. Soo,.,., read your license and agreement with yahoo messenger. I've been doing this since I was 10 lol so yahoo knows me pretty well. I still can't believe they haven't patched the packet. Oh well! To show you a bit of the exploit the pictures can be like so.. 

NOTE: none of these files were tampered with. These are actual screenshots using fake names that no one will ever use. Uh_Oh_What_Happened is now banned as is Just_Another_Giggalo for the security purpose of me. To explain this a little bit the packets are all tampered with. you change the size to any size you want.

BOOTING/Disconnecting

On to our other exploit which is very amusing to some 'hackers'. Is the boot packet! It basically works the same as the forge file except the packet is different. Instead of sending the file packet you send the WebCam invite changing the numbers around as soon as the person receives the invite and clicks "No" or "Yes" or "View Profile" he/she crashes. There is no real way of blocking this except ignore all request. I wish I could go more into detail about this but if I do I risk the security of yahoo users all over the world lol.