Yahoo! Messenger is an instant messaging client. There is a vulnerability in Yahoo! Messenger that permits a remote user to add arbitrary users to the victim's buddy list.
Yahoo! Messenger allows users to view content only from users on their buddy list. An attacker could craft a message to exploit this vulnerability and add arbitrary users to the victim's buddy list. This message would have to be sent through Yahoo! servers, and could not be exploited peer-to-peer.
A remote user may be able to add users to the victim's buddy list. This can create a vector of attack for other vulnerabilities that require the victim to accept content from the attacker.
This vulnerability was fixed by a sever-side resolution in February 2002. No user action is required.
This vulnerablity was discovered by Scott Woodward
This document was written by Jason Rafail.