Yahoo Messenger 11.x $InlineAction parameter iFrame flaw

Dec 5, 2011

A zero-day exploit has been seen to be present in Yahoo Messenger 11.x, including the latest released version which allows a remote attack to hijack your status update. The attacker will simulate sending a file to a user when changing the status update. This can be done in part to the '$InlineAction parameter' flaw which is responsible for the way the Messenger form displays the accept or deny the transfer. The attack vector uses an iFrame which loads and then swaps the status message for the custom text. Remote attackers can use the status update to post URL updates which then redirect users to fake malicious websites. The attacker does not need to be included in the victims contact list.

Recommended From Hakin9

CrowdStrike Outage: How the IT Disaster Became a Hacker’s Paradise

Picture this: you’re at the peak of your productivity when suddenly, your computer throws a

Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

1 Comment
Oldest Most Voted
Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023