On Wed, 5 Apr 2006, n3td3v wrote:
If you want the IP of a user on Yahoo Messenger, all you do is add a user to your list with social engineering techniques, then you listen on port 5101 and send the victim a normal instant message. Yahoo compromises security in that way by attempting to establish a peer to peer connection between consumer clients, to save on server useage. Yahoo don't care how easy it is to obtain a users IP by simply sending someone an instant message. Yahoo say the fact you need to add each other to a friends list first is good enough security to protect its users.
I don't see this as a problem really, since it is trivial to lure a user into a website one controles, by sending a unique url to someone. Besides, a IP is not a sensitive piece of information in any way, as you leave it at any website you surf by. Could you care to explain why I should care if Joe R. Andom Cracker has my from yahoo IM?
-- Regards, Vidar Better dead than mellow. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/