Vulnerability Note VU#393195

Yahoo! Messenger allows arbitrary users to be added to buddy list without proper authorization

Original Release date: 05 Jun 2002 | Last revised: 10 Jun 2002


Yahoo! Messenger is an instant messaging client. There is a vulnerability in Yahoo! Messenger that permits a remote user to add arbitrary users to the victim's buddy list.


Yahoo! Messenger allows users to view content only from users on their buddy list. An attacker could craft a message to exploit this vulnerability and add arbitrary users to the victim's buddy list. This message would have to be sent through Yahoo! servers, and could not be exploited peer-to-peer.


A remote user may be able to add users to the victim's buddy list. This can create a vector of attack for other vulnerabilities that require the victim to accept content from the attacker.


This vulnerability was fixed by a sever-side resolution in February 2002. No user action is required.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
YahooAffected29 May 200205 Jun 2002
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A



This vulnerablity was discovered by Scott Woodward <>.

This document was written by Jason Rafail.

Other Information

  • CVE IDs: Unknown
  • CERT Advisory: CA-2002-16
  • Date Public: 21 Feb 2002
  • Date First Published: 05 Jun 2002
  • Date Last Updated: 10 Jun 2002
  • Severity Metric: 15.19
  • Document Revision: 16


If you have feedback, comments, or additional information about this vulnerability, please send us email.