New forums, all user accounts were lost! Please Register for a new account if you had one before!
0 Members and 0 Guests are viewing this topic.
First off, I'll introduce myself. I'm a professional software developer, network security auditor, systems architect, and the lead security researcher at Torseq Technologies (an independent security R&D group). I have been using Yahoo!'s services, specifically Yahoo! Chat, every day, for nearly a decade. I'm also a co-author of several chat-based applications that interoperate with Yahoo! Messenger and Yahoo! voice chat (YTK & VC Sync), both commercial and freeware programs respectively.Recently, after installing your latest Yahoo! Messenger 11 beta build, I decided to investigate your new Conversation History feature for it's online message archiving functionality (stored on your servers). What I discovered is very DISTURBING with this particular "feature" you've now added. After lots of research and testing I've concluded that your Conversation History/Message History functionality VIOLATES our end-user right to privacy and completely contradicts your very own privacy policy (concerning this feature) in numerous ways.Here is a brief overview of what this privacy violation is comprised of:- Your new, _supposedly_ Yahoo! Messenger-specific, Conversation History message archiving feature is flawed. While you can disable the Conversation History feature within Messenger's preferences, as well as in your Web-based Messenger, both DO NOT prevent ALL instant messages from continuing to be stored on your chat servers.- As stated above, disabling the message archives in both versions of Yahoo! Messenger (web and YM 11) does not stop the collection of ALL instant messages sent & received from your Yahoo! account ID's. Even more, when you delete the messages that are retrieved and displayed in your message archives they DO NOT delete these messages from the YMSG chat servers, which is your first/primary storage location for them to reside. Instead, all that happens is the messages, stored as records, are only deleted (over HTTP) from your mail servers; the servers that your archive managers use for viewing and deleting these messages.- The storage of all our instant messages is done at the CHAT SERVER-LEVEL, meaning, they'll be collected and stored regardless of whether you use Yahoo! Messenger for the Web (with archiving turned off here), Yahoo! Messenger versions 8.0/8.1 - 11 beta, Mobile Messenger (WAP), IM'ing from within Yahoo! Mail, or from any 3rd party chat client that uses your chat network. We (the end-users) have not been informed by you that this is [automatically] going on, we have not given our consent for this practice to take place, NOR have we been given the ability to STOP this from occurring.Yahoo! Messenger 11's "Recent Messages" feature, which is supposed to be complementary to your message archive, reveals ALL of our instant messages (including from Facebook friends, IBM Lotus Sametime, LCS, and MSN/WLM users) being stored on your YMSG chat servers. Up to 40+ (50 maximum) IM's are stored per username from our account, per user that we've contacted or been contacted by, all retrieved with the "Recent Messages" service packet (YMSG service type 283). While this _could_ be an event-synchronization bug between your message archive management over HTTP and the chat server-stored messages over YMSG (message deletion from your mail servers not removing the messages from the chat servers properly, for instance), I find this hard to believe for a couple reasons. Disabling the Conversation History archive in YM 11 and YM for the Web uses the YMSG service type 239 packet which is sent to the chat server, the same primary location that all these instant messages reside on.This is starting to get really suspicious now. Could there REALLY be TWO bugs of such importance having gone unnoticed, especially for so long?! Yahoo! Messenger 11 beta has been out for over 4 1/2 months now. There's no telling how long this has been going on but I'll bet it's been AT LEAST 5 months. Your Conversation History privacy statement also discloses that Yahoo! _may_ exercise the right to analyze our stored message's content... "in order to provide personally relevant product features, content, advertising, spam and malware detection".Your privacy statement then goes into even more detail..."Yahoo! provides personally relevant product features, content, advertising, spam and malware detection by analyzing your archive. Some of these features and advertising will be based on our understanding of the content and meaning of your instant messages. For instance, we analyze instant messages to identify key elements of meaning and then categorize this information for immediate and future use. This information may also be used for interest-based advertising."These aforementioned archive "bugs" need to be addressed and corrected ASAP! Hundreds are now aware of this and soon there will be thousands of upset Yahoo! chat users since I published all my findings the other day to my community forum. If this serious issue isn't rectified within a timely manner, or you don't AT LEAST come forward and INFORM your entire chat userbase (via blog post, YMSG system message notification, or updated privacy policy change) that this is happening, I'll be forced to take my own further action. If you choose to disregard this complaint I've filed with you here then I'll also have no choice but to publish all of my findings but this time to the proper security communities I'm a part of (Security Focus/Bugtraq & Secunia).I expect a REAL person to contact me, not an automated e-mail, at the e-mail address I've supplied and I'll get back to you so WE can work on getting these flaws resolved for the millions of Yahoo! chatters around the world. The consequences are great, especially for those users who end up with their accounts compromised, where all it takes is this little bit of knowledge to collect all of their instant messages they've sent and received from friends, family, and co-workers.Regards,Adam {Torseq Technologies}
Home
Login
Register