Y! Messenger: a flaw allows phishing attacks

A flaw was discovered in the IM software Yahoo! Messenger which can be exploited to make a phishing attack.The publisher of security solutions BitDefender explained via one of its blogs have spotted a flaw in the Yahoo! Messenger client version 11.x for Windows users. The problem would be located within the system file transfer. The hacker, who need not have been previously added to the list of contacts of the victim, would be able to handle the message displayed on the screen, inviting it to accept or reject the transferring a file.

Upon loading this message, it is possible to change the status of the user by including a link to a fraudulent site. "The status messages are very effective in terms of clickthrough rates because they are aimed at a limited number of friends," said BitDefender adding that it is easily possible to point to a page that contacts an operator fault Internet Explorer, Java, Flash or PDF.

The publisher advises to block the reception of messages from outside contacts, an option disabled by default. Sunnyvale firm has been advised of this vulnerability and is working on a fix.