How is it possible

[Minnie_Monster]

I am sitting in chat room on an alisis id. Here is a guy that can pull up the main account id and put it in the room and ever alisis id attaced to the main account id and your name your phone number and adress and the kicker is I have my profile set on private and I have all my setting in my profile edited so that no one can see.How in the hell is this guy doing this and its not just with me its anyone in the room and he is able to access your e-mail and read them. WTF is he hacking. I am using YTK.

[SomeGuyFromCanada]

It could be an exploit. I haven't heard of it though.

Might have something to do with the request contact details packet.

[Thomas]

It could be an exploit. I haven't heard of it though.

Might have something to do with the request contact details packet.

i hope adam and brock can patch this in ytk

[Minnie_Monster]

This guy and his wife are able to do this in room bbw6 their ids are: <removed> & <removed> these two are the ppl that can do this to ppl. He said a program he runs is a scan on an alisis ID and pulls up all alisis ids that are attached to main id and he put my main ID in the room and he did another girl main id off of her alisis and one girl said he read an e-mail she just sent a few mins ago. Could it be from an open ID source vaneriability. I don't know but it scarey he can do this from an alisis id.Somebody needs to check this out.

*Edit - Removed user ID's - SGFC

[SomeGuyFromCanada]

i hope adam and brock can patch this in ytk

Doubtful, this is probably something Yahoo! would need to patch.

This guy and his wife are able to do this in room bbw6 their ids are: <removed> & <removed> these two are the ppl that can do this to ppl. He said a program he runs is a scan on an alisis ID and pulls up all alisis ids that are attached to main id and he put my main ID in the room and he did another girl main id off of her alisis and one girl said he read an e-mail she just sent a few mins ago. Could it be from an open ID source vaneriability. I don't know but it scarey he can do this from an alisis id.Somebody needs to check this out.

Sounds like he actually has access to the account. Not that he is actually scanning the ID. Because he can read emails and also knows the account info.

[jerseyguy56]

When running yahoo messenger these days my Microsoft Security Essentials has been detecting
a trojan called PSW: Win32/Tibia.AB

This software is for capturing passwords.

Generally, the only time it's detected is when Yahoo Messenger is running.

This might be a way for these people to access your information.

[Minnie_Monster]

He can do anyone in the room from an alisis that your on at the time. And how can he do this ?
I just meet the guy and I use YTK all the time And I have got my setup locked down pretty good and he still did it on any account with and alisis id. When you sign into My Account IFO ok on that page go down and click Manage/create your openID then you will see your Your OpenID identifiers: I remember him saying something about HTTPS scanner and that what he is doing is public info. Then he he to abot and scanned it and he put something that looked like this in the room>>HuRkPzEgkJ8yzaRbUDOnF3RAShbIKdnEU

[Clusterphuck]

There's an exploit (it's a link actually) being used that reveals a person's main ID thus rendering Gawd Mode completely useless if an attacker were to use it. Just wait for it to get patched by Yahoo, if ever.

[Minnie_Monster]

I knew it had to be some type of exploit. Ok guy's just thought I would make some of us aware of this exploit.

[SomeGuyFromCanada]

The exploit mentioned above wouldn't reveal every single alias or contact info. Or even email.

[Minnie_Monster]

ok last night this same guy was in the room and I was chatting with afriend and all of a sudden he pmed me and said thats one of his accounts that just came in the room. Then it left and I told him to see if he could sign into it and he could then that wizard say to a girl in the room that he took her ids but he would give them back so this guy is hacking accounts in bbw6. What ever he is using its getting into your account.

[SomeGuyFromCanada]

One interesting thing is if you look into your conversation history (stored on Yahoo! server). It shows an email address if you hover over the user's name/ID. For the most part the email it shows is accurate.

[Thomas]

this program need be patch and we all know that yahoo takes there sweet time in patching stuff that is a high risk unless somebody tell them what to look for then it patch fast

[James]

haha stay away from the bbw and pick up bar rooms

[Adam X]

There's been at least one way to grab the main id of an account for a very long time (which I still have working). This is why I recommend going into chat on the main id and not the alias. When they check your name they'll just see the main id and won't have any of the aliases you may have on your account in their possession. It's easier to boot a person when they have aliases that are known because the chat servers treat them as separate target recipients (more flooding can be done before bans occur).

As far as posting address info, phone numbers, etc, I can do this as well. The way I'm able to do it is not through Yahoo! at all, it's through a survey site that you can use to reveal the information for any e-mail address (if they're in the database). Scary stuff but this has always been possible. Your "hidden" display pics can be viewed as well. More than 2 years ago I discovered a way to do this which still works and two more ways over the years which also still work. I haven't seen this being used by anybody to do anything other than peep on people's hidden pictures. I can turn their display pic/avatar off/on as well which is what I discovered a couple years back. There's a lot of stuff that can still be done, some of it I'll be reporting to Yahoo! when it becomes public, some without waiting.

Maybe I'll pay a visit to this room sometime and see what they can do to me. They're likely using something similar to what I have to "drop docs" (term for grabbing and revealing a person's personal information). If a Yahoo! production server (web server etc) has been compromised then they can get this information there too, but this may not be limited to just within Yahoo!'s own realm. The way I do it isn't limited to just Yahoo!/Yahoo! Chat.