Yahoo I.D. Problem caused by Hackers

hi to all,

i happen to stumble upon this problem on one of the yahoo groups i am affiliated with...my question is would something like this be possible? and if so what measures can be done to prevent such as the scenario given below...

Hi to all IT here I need your help.

Situation:

1. Someone using the internet Yahoo Messenger. This man with
yahoo I.D. "ariaz99" appeared with invitation to open the webcam and
he has a capability to detect the password of the I.D. whom he meet
through chatting.

2. While on chatting with "ariaz99", he was aking the user
forcesfully to open the webcam with the treat of shutting or closing
the I.D. if not obeying his command.

3. "ariaz99" giving the countdown from 10, 9, 8, 7 downward to 0
and then finally "ariaz99" disappear.

4. Endeed, the concerned user log-out from yahoo messenger
thinking that the treat was not real, then re-login but sad to know
that the I.D. was not anymore accessable, refusing to accept the
password.


Next user of the same computer – note: the computer has not been
shutdown or restarted afted that incident but then being used by the
next user id: orlando_e_roque.

1. User I.D. "orlando_e_roque" the next user received
immidiately a messages from "ariaz99" giving the full details of the
Passwords Perfectly & demanding the same treat. So the user because
he was confused, he then shut-off the computer after seeing the
countdown of "ariaz99".

2. "orlando_e_roque" re-login using that i.d. "orlando_e_roque"
but not able to get the correct password or not able to access the
i.d.

3. The user tried to recover the I.D. by entering all the
informations given during the creation of his I.D., but none of the
information was detected correctly.

4. QUESTION: 1.) Is there any other ways to retrieved back the
I.D. "orlando_e_roque" ?

5. QUESTION: 2. ) How do that "ariaz99" detected the password
and thing he has a capability to edit the informations?

Sounds like someone had a trojan installed. I don't remember any Yahoo Messenger vulnerability that lets you do all that.

hi sahir,

thanks for the reply...i was thinking the same thing too...that somehow the attacker might have installed a trojan and managed to install it probably thru a tunnel although not quite sure about it...but how does the attacker able to change the account settings of the affected user?...his trojan might be a powerful tool to do those kind of stuffs...

Sounds to me like he wanted the user to send the password data by logging in. I haven't sniffed yahoo network traffic in ages, but I'm betting it sends the password data when you login, and when you enable web cam. Also, you can only log on under one instance, hence the reason the user couldn't log in a second time. Tracert from the attacked computer the the messanger server should tell you if the traffic was being forced though a tunnel to the attackers computer, but if it does have some sort of trojan, might even fudge that data. I'm not leaning to a key logged since when you sign in\out of yahoo, most people have it remember their password, so unless if has a pre-defined thing to grab the password from the edit box, it wouldn't detect it. Course, if it was designed just FOR yahoo, it would look for said box and grab the password.

hhmmm...very informative ozzy...is that also one reason that some uses other messenger clients other than yahoo like yahlite or something of that sort?...could you elaborate more on your theory?..seems a little interesting... thanks..

well, for the data to work correctly, any yahoo clone program would have to use the same setup. So if yahoo says you need to resend your password to enable webcam, then other programs would have to also.

Depending on the mode, yahoo will send it's data over port 80 and will use web proxies, just like a browser. So if someone installed say an activeX control on the target that changed proxy settings for yahoo messanger, then all data would be sent to the attackers computer. Get etherreal, a network sniffing program, and try to set it up to sniff all your own traffic on your computer, then log into yahoo, you should be able to see your password as plain text.