Changing of user's status message on Yahoo! Messenger

Security researchers have discovered an unpatched flaw in Yahoo! Messenger that allows attackers to change any user's status message.

Hijacked status updates are a handy way to persuade a victim's contacts to click on a link and lead them to a dangerous website. Worse still, the bug in version 11.x of the Messenger client requires minimal user interaction to work. The attacker sends a supposed file to a target that is actually an iframe that swaps the status message for the attacker's customized text. The message might be, and in most attack scenarios would be, sent firm outside a targeted user's contact list. If successfully executed, a victim will have no indication that his or her status message has been rewritten. The ruse might be used to gain affiliate incomes by promoting web sites as well as directing users towards sites loaded with exploits or scareware scams. Bitdefender advises users to change the setting of their IM (Instant Messaging)client to ignore anyone who is not in their Yahoo! Contacts as a precaution pending the release of a patch. In addition, some security suites include a web filter function that ought to defend users from this attack. Original news was published at The Register web site.