Yahoo Messenger 11.x $InlineAction parameter iFrame flaw

A zero-day exploit has been seen to be present in Yahoo Messenger 11.x, including the latest released version which allows a remote attack to hijack your status update. The attacker will simulate sending a file to a user when changing the status update. This can be done in part to the '$InlineAction parameter' flaw which is responsible for the way the Messenger form displays the accept or deny the transfer. The attack vector uses an iFrame which loads and then swaps the status message for the custom text. Remote attackers can use the status update to post URL updates which then redirect users to fake malicious websites. The attacker does not need to be included in the victims contact list.