Yahoo! Messenger injection attack

Question

Just five minutes ago I had an injection attack through Yahoo! Messenger. The only visible effect was the change of my status message. I also got a dialog message saying that a script cannot continue running because the string was not terminated, or something like that; when I looked for the script at the specified path I could not find it.

How the attack was executed: a conversation window with someone I did not know popped up; it displayed a distorted box, the kind that appears when the other person is sending you a file (only there was no file to save). (The box was distorted as if the client had trouble rendering it.)

I tried saving the conversation (to see the text that was sent), but it was empty. I haven't restarted my computer. Any chance I could see what was sent to me?

Update

I searched the id through which the attack came and found it is affiliated with a site that has a public form for changing any person's status message: all you have to do is put in their id, the status message and you're done. (I don't think I should mention what site it is.)

I used the form to send attacks to my own self so I could capture them with a network analyzer. The exploit was sent through a malformed File Transfer Request. I also sent a normal FTR to compare and see what is different in the exploit. Among others, a FTR contains the following info:

(a) name of the file being sent
(b) size in bytes
(c) hash probably used to check if the transfer succeeded

The exploit had no file name, and presumably the size of the file is 4128 bytes (but there's no file you can actually download). The hash is somewhat more interesting. In a normal FTR, the hash looks like any other (a string of characters); the exploit FTR had this for a hash:

'<form><iframe onload=\"SetCustomStatus('mystatus');\"></iframe></form>

The SetCustomStatus function is from the YM SDK. This appears to be all, so there probably wasn't any real harm done. It would be interesting to know how they got Yahoo! to send that JavaScript code instead of a normal hash.

Anyway, I'll report the site to Yahoo!. (Edit: Except I can't seem to find where to report it... >:( )

Wow! Great job! If you want to report a security vulnerability to Yahoo, you can email security@yahoo-inc.com. Or, you could report to CERT and let them handle disclosure to Yahoo -- but personally I'd probably report directly to Yahoo. — D.W., Dec 03 '11 at 21:33
@D.W. Thanks. I received a reply from someone at Yahoo! that they got my email. — Paul Manta, Dec 04 '11 at 12:25
+1 vote for identifying and confirming a security vulnerability. — Jeff Ferland, Dec 05 '11 at 18:51

score 2 · Answer 1 · answered Dec 03 '11 at 06:54

I don't know whether it will be possible to save a log of what was sent to you, but if I were you, I wouldn't worry about it. I would leave that to security folks to analyze the details of how you got hacked; if you got picked at random to be hacked, odds are there many others are getting hacked, too, so the professional security companies have a good chance of observing the attack in the wild.

Instead, I would focus on securing your machine so your don't get hacked again, and making sure you eliminate any access to your machine and Yahoo account that the hacker may have gained. In particular, I would take the following steps as soon as possible:

Immediately change your Yahoo! Messenger password to a temporary password, ideally from another computer if possible but if not, from your own computer. (This will be just a temporary password, because there's always the possibility that your attacker has infected your copy of Yahoo! Messenger or infected your machine with a keylogger. We'll try to deal with that next.)
Disconnect your computer from the network. Reboot.
Run a full virus scan of your computer (most will have an option to do a full scan of the hard disk on demand). Fix any problems it reports.
Reconnect the network connection. Ask your virus software to update its anti-virus definitions. Run another full virus scan. Hopefully it won't find any problems.
Reboot. Run Windows Update. Update all the software it will allow you to update. While you're there, turn on automatic updates, if for some reason they're not already enabled.
Check for updates to Yahoo! Messenger. Install any updates.
Download and install Secunia PSI. Run it. Fix any security problems it reports (i.e., update any software that it says is out of date).
Reboot if required by any of the previous software updates.
Now change your Yahoo! Messenger password a second time, this time to something permanent and hard to guess. You might want to change the answers to any security questions, too, just in case.
Also, check over your Yahoo! account profile and details very carefully. Make sure any email addresses in there are correct (e.g., that the attacker hasn't forwarded your email to another account). Make sure the attacker hasn't added himself to your buddy list or anything like that.
If you used your Yahoo! Messenger password on any other site or with any other software, change your password for those sites/applications, and do the same with them.

While there are no 100% guarantees, if you follow those steps, I expect you will probably be OK.

Thanks for the help. I posted an update, if you are interested. — Paul Manta, Dec 03 '11 at 14:48

Yahoo! Messenger injection attack

Update

1 Answers1