Yahoo Messenger privacy vulnerability in Yahoo 360

[n3td3v <xploitable () gmail com>]

Hello security community,

Can someone confirm that the following is true?...

Vendor: 

Yahoo! Inc

Description:

Just when users of Yahoo Messenger had got a custom to being stealth
from friends on Yahoo Messenger and Yahoo Profiles. Yahoo 360 appeared
late March 2005, and currently takes your privacy away.

Currently Yahoo 360 is not in sync with Yahoo Messenger stealth
settings, therefore the user appears online at Yahoo 360.

The vulnerability can be exploited and written into a hackers IM
software, to have real-time online status, quickly and easily, of any
devious users who choose to hide using Yahoo Messenger's stealth
settings.

Whats more is, if a user selects *Don't display my status on Yahoo
sites* via Yahoo Messenger/Yahoo Profiles/Yahoo Members Directory, the
true and not false online status is still displayed on Yahoo 360.

Work around:

Don't use stealth settings and select "Invisible to Everyone" on your
status chooser.

Credit:

n3td3v

http://blog.360.yahoo.com/blog-DDhkxBU_KLIDKLXKywM-?p=324
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/