search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Yahoo! Messenger allows arbitrary users to be added to buddy list without proper authorization

Vulnerability Note VU#393195

Original Release Date: 2002-06-05 | Last Revised: 2002-06-10


Yahoo! Messenger is an instant messaging client. There is a vulnerability in Yahoo! Messenger that permits a remote user to add arbitrary users to the victim's buddy list.


Yahoo! Messenger allows users to view content only from users on their buddy list. An attacker could craft a message to exploit this vulnerability and add arbitrary users to the victim's buddy list. This message would have to be sent through Yahoo! servers, and could not be exploited peer-to-peer.


A remote user may be able to add users to the victim's buddy list. This can create a vector of attack for other vulnerabilities that require the victim to accept content from the attacker.


This vulnerability was fixed by a sever-side resolution in February 2002. No user action is required.

Vendor Information


Yahoo Affected

Notified:  May 29, 2002 Updated: June 05, 2002



Vendor Statement

This was fixed 25-Feb-2002 on the server side. Users do not need to take any action.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group Score Vector



This vulnerablity was discovered by Scott Woodward .

This document was written by Jason Rafail.

Other Information

CVE IDs: None
CERT Advisory: CA-2002-16
Severity Metric: 15.19
Date Public: 2002-02-21
Date First Published: 2002-06-05
Date Last Updated: 2002-06-10 15:49 UTC
Document Revision: 16

Sponsored by CISA.