Loading ...
Sorry, an error occurred while loading the content.
 

Bug / possible security issue

Expand Messages
  • javakiddy
    Yahoo Messenger does not appear to function appropriately when using identities, leading to what is at the very least a serious bug, and at worst a
    Message 1 of 1 , Feb 26, 2004
      Yahoo Messenger does not appear to function appropriately when using
      identities, leading to what is at the very least a serious bug, and at
      worst a security/privacy issue. Although I've only witnessed this
      problem from the Linux (RedHat) client, the erroneous functionality
      would appear to be server-side as well as client. So it has to be
      assumed that the problem is true for all platforms. (Can anyone
      confirm this?)

      Try this: run two separate clients and log into one using an account
      which has at least two separate identities (profiles). Send a couple
      of messages from the primary identity to your other client, and note
      how the "<id> is typing a message" line appears at the foot of the
      IM window. Now, without closing the first IM window, send a message
      using a secondary identity to the same client - another IM window
      should open on the recieving client because Yahoo treats the two
      identities as it would two separate users (as it should!) BUT...
      note that the typing notifications are *still* going to the primary
      identity IM window.

      Taking a look at the network traffic, it seems that Yahoo's client
      *always* sends typing notifications out as the primary identity - even
      when the user is employing a secondary identity. Indeed, if the
      notify 'packet' is sent out with the secondary identity written into
      it (using third party code) it arrives (at the receiving client) with
      the sender re-written to the primary identity.

      Because of this bug, typing notifications sent out while using
      secondary identities are either ignored (because the receiving client
      does not recognise the sender) or sent to the wrong IM window (as in
      the example above, where a client was talking to two identities at
      once).

      The receiving client also does not get notification at all (no
      message arrives from the server) when an IM user with whom they are
      talking logs off, if that user was not a primary identity. I assume
      this is a related issue(?)

      There is a very minor privacy issue too: If I am talking to
      'superman' and I see that typing notifications are arriving just
      before and after his messages tagged as being from 'clarkkent' then
      the sender's real identity is exposed. This would normally be a
      major security/privacy issue - except that Yahoo's on-line
      documentation for profiles/identities does not appear to ever promise
      that creating aliases like this ensures security or privacy. Even so,
      it would be nice if they fixed the bug and actually got their clients
      and servers to function so that alternative identities behave in
      exactly the same way as primary identities. And posting info in the
      help section to more clearly warn that using Yahoo profiles is not an
      effective way of masking your true (orginal/primary) identity would
      I'm sure also be of help to many.


      -FISH- ><>
    Your message has been successfully submitted and would be delivered to recipients shortly.