Hacking Yahoo! Messenger

[joseph0829 0]

lately i've been reading some way of hacking yahoo messenger. youtube, hacking forums, and etc, i've been there to ask and to learn how to hacking it. but i've been wondering every now and then while reading and watching those posted videos and scripts, but they are not working. For real, is there any way to hack yahoo messenger?

[turbopowerdmaxsteel 0]

I suppose there are. tansqrx here is an expert at Yahoo! exploits and vulnerabilities. Although his motives are constructive and are aimed at finding exploits and bringing them to the notice of Yahoo. You can drop by his site http://www.ycoderscookbook.com/ to find out more.

[tansqrx 0]

Of course there are ways to hack Yahoo! Messenger but are you willing to take the time? For all of Yahoo’s faults, having a long patch time is not one of them. In other words Yahoo! will issue a fix for any given vulnerability within a few days and a mandatory update within a week. This means that once a problem (critical security) comes to Yahoo’s attention you don’t have very much time to react and take advantage of the problem.This means that those “hacks” on the hundreds of nukePHP boards may have worked 5 years ago but unless they are truly zero-day you will not get anything from them. The only meaningful way to hack Messenger is to come up with an exploit yourself. This takes work and I myself have had a lot of fun researching but I wouldn’t expect to get anything in under 3 months of hard research. As my friend turbomax has said I run a quite little site at ycoderscookbook.com just about this sort of thing. If you are truly interested, stop by the forums and ask some questions. I may not have as many members as some of those other sites but when it comes down to the actual programming aspect of Yahoo! Messenger, I think this is the place to visit.I will get a list of things together later for you to look into. Is there any one thing that you are trying to “hack”? Are you trying to get into someone else’s account, see if a contact is invisible, or perhaps something else?

[ethergeek 0]

I really hope everything goes Jabber like google talk. Open source protocols are teh awesome. I hate that my IM client has to reverse-engineer the protocol every time they change something.At least AIM is being nicer about it by releasing an API.

[turbopowerdmaxsteel 0]

It is not that hard to work with YMSG protocol. The initial learning phase is the most important one. Any changes they make are easy to adapt to. All you have got to do is use Ethereal or similar software to monitor the conversations between Yahoo! Messenger and the server.

[tansqrx 0]

I suppose the preference of chat clients is personal but I never cared for Google talk very much. I also don’t think that just because a product or protocol is open source it is the best on the market. In the end it comes down to the fact that most of my friends are on Yahoo! so I am also on Yahoo!

[tansqrx 0]

In keeping with the original discussion, here are some good starting points for getting into the exploit business. I had a user post a similar question on my site and this is part of my response.

Discovering exploits is not exactly an easy task. It usually takes a lot of time and a fair bit of programming skill and knowledge. I certainly donât want to discourage you but I want to prepare you for what you are facing. I have never personally found a useable exploit for Messenger but I havenât been trying lately either. Here is a little bit of information to get you started.

⢠In the past year there have only been around 5 exploits for Messenger found and there have been a lot of people looking.
⢠Finding exploits may be hard but the result is usually very distinctive. You will usually have a program crash where the program tries to access restricted memory. From the crash work your way back to see what caused it.
⢠Messenger has been beat on for many year so all the low hanging fruit has been picked. You should look at some of the newer features like phone.
⢠For all of Yahooâs faults, one thing they do well is patch exploits and security vulnerabilities quickly. Once an exploit goes public you usually have less than a week to use it before a mandatory patch is issued.
⢠There is no magic exploit program, if there were then I would have already used it and the program would be useless to you. There are several programs that you should gather, one particular class of programs are called fuzzers. They basically throw junk data at a program until it crashes.
o https://en.wikipedia.org/wiki/Fuzz_testing
o http://peachfuzz.sourceforge.net/
o https://hdm.io/tools/axman/
⢠You will also need disassembly tools.
o IDA Pro - http://www.datarescue.com/
o OllyDbg - http://www.ollydbg.de/
o Debugging Tools for Windows - http://forums.xisto.com/no_longer_exists/
⢠Another good addition is a good virtual machine to separate you activites from your main desktop.
o VMWare â http://www.vmware.com/
⢠A good place to start is watch for 0-day exploits from others and study old exploits. You can download older versions of Messenger from many different places to see how the older ones operate. Watch for new exploits on some of the more popular security list such as Bugtraq at http://www.securityfocus.com/archive/1
⢠You should also read some books about exploits. One that I recommend starting with is The Shellcoder's Handbook: Discovering and Exploiting Security Holes.

I hope this gets you started. Let me know if you need any more information and remember that there is no silver bullet or quick solution to what you asked.

[ethergeek 0]

I suppose the preference of chat clients is personal but I never cared for Google talk very much. I also don’t think that just because a product or protocol is open source it is the best on the market. In the end it comes down to the fact that most of my friends are on Yahoo! so I am also on Yahoo!

I'm not knocking yahoo, or implying that something is better by virtue of being open source. I'm just saying that Yahoo would be vilified alot less often if they opened up their protocol and published the specifications. Their target demographic of computer-illiterates will use their ad-ridden client anyway, (and the rest of us will settle for reduced functionality in Adium/Trillian/Pidgin/whathaveyou), whether there's another option or not; so it doesn't even impact yahoo's revenue model.

[tansqrx 0]

I guess it all comes down to the cultural values of the company, Yahoo! and Google in this case. I think of Yahoo! as the old media and Google as the new media in the way they think. Google is more open to experimenting with free and realizing they will still get some profit. Yahoo! is more conservative thinking because they can’t quite get over loosing some of their revenue.I also think the YMSG protocol is still closed because of some historical reasons. Messenger was created before Google made the grand proclamation that everything should be open source. YMSG was born in the era where closed source was the standard and by the very nature of it birth it has a hard time going open. You still have some managers and programmers that have been working on messenger for ten years. It’s always been that way and there is no need to change in their mind.Both views have valid points. In the end I am not overly concerned that YMSG is a closed protocol. As long as I have a network protocol analyzer at my disposal I will be able to figure out what is going on under the hood. It is very selfish for me to say this but I would hate to see Yahoo! go open because I would loose some of my clout as being one of the few sites that publish YMSG data.

[Nate the Skate 0]

you can hack into anything. if you understand the programing of yahoo messenger you can "hack it"

[tansqrx 0]

I will agree and disagree with this depending on the definition of “hack.” If you mean that you can make the program behave in a way that the original programmers did not expect then yes you can hack anything. If you mean being able to run an exploit against the program, more specifically a remote exploit then no you can’t hack anything. I believe the original discussion is about the latter.If a program has no bugs then there is no way an exploit can be found. The definition of an exploit is taking advantage of a bug in the software. The tricky part of this definition is there have never been any bug free programs and there never will be. Even a simple hello world program may be prone to an exploit at some time due to a bug in the underlying OS or any of the API’s called. In the software engineering community bugs are measured as defects (bugs) per 1000 source lines of code. A good number that a program should shoot for is usually around 2. This means that a program with thousands or even millions of lines of code will always have bugs.The technical answer is that you can create a program that can not be exploited but the practical answer is that you can always be able to exploit a program.

[xboxrulz1405241485 0]

I agree with ethergeek about Google and their opensourceness... simply because on Jabber, it's quite universal, I can use basically any third party client or iChat to go on Jabber and talk with my friends on Google Talk (which really is just Jabber).However, I'm forced to use Windows Live Messenger since most of them are on the network. Now I use WLM, AIM, Skype and Jabber. If these companies would just all agree and merge their stuff into Jabber, my life would be so much simpler, but in the world of closed source software and everything must be = $$, I don't see that happening any time soon.xboxrulz

[Brian010011405241556 0]

i wouldnt waste your time trying to hack it. Not saying it cant be done just its really really hard now a days. Its not like the good old days were you could brute force it. There servers have high security. good luck though.