YTK's Auto-Reconnect feature works fine with all the YMSG protocol versions _except_ YMSG version 18 due to the change Yahoo! just made a few days ago. YMSGv18 is still usable but the cookie login for it has been specifically affected (as was the regular SSL-based login with improper client id / version strings). This iframe injection vulnerability has existed for many months (since YM 11 beta first debuted) and is definitely a severe issue since it can allow a person to execute code on your computer, steal your account (cookies and potentially the password), among many other possibilities. This exploit only affects Yahoo! Messenger 11 and I haven't personally checked it against YM 11.5 yet but I imagine there are other packet types that can be used to do the damage as well. YTK's out-of-the-box configuration (default settings) block the invitations sent to you from non-friends containing the exploit script code (an HTML form with an iframe embedded typically).

Yahoo!'s choice to tamper with YMSGv18 specifically was pretty stupid considering that this can be completely blocked server-side without targeting an entire protocol version (which YM 11.0 builds use version 18 by default). What's scary is that they just now became aware of this vulnerability when it's existed and been exploited for months on end.

For now, if you plan to use Auto-Reconnect in YTK, do not use YMSG version 18 until I fix it up in the next build. All the other protocol versions will work correctly when using this feature. If you want to have most of the functionality while using Auto-Reconnect then choose YMSG version 17 which will only limit your Facebook chat feature and multiple session instances for the same account while allowing everything else. Typically our users use Auto-Reconnect for YMSG version 102's boot resistance but I am aware that some just use it to lessen any disruption from boots leading to disconnections.