Yahoo! Chat! servers contains a flaw that may allow a remote attacker to bypass 'Add Buddy' restrictions. The problem is that the server does not send confirmation when 'Add Buddy' requests are made. With a specially crafted URL, a remote attacker can arbitrarily add buddies without permission and disclose their online status resulting in a loss of confidentiality.
Classification
Location:
Remote / Network Access
Attack Type:
Information Disclosure
Impact:
Loss of Confidentiality
Exploit:
Exploit Public
Disclosure:
OSVDB Verified
Solution
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.
We currently have no CVSS2 data on this vulnerability. Feel free to suggest it.
Blogs
This product uses the Daylife API but is not endorsed or certified by Daylife.
This section lists the latest news and blogs found via the daylife API (and for older items, the technorati API), which mention or otherwise discuss this vulnerability.
gmail.com -
