OK, so I'm not a real coder. SUE ME! <img border="0" alt="[Kiss My [censored]]" title="" src="graemlins/Kiss My [censored].gif" />

Anyway... this is a rather limited xploit, but since I came up with it I thought it was rather clever, of COURSE! There is a rather minor security issue with YIM ( Yahoo! Instant Messenger ), as posted here . I happen to have access to a console with many different users using the service, (with LOADS of archived chats) and noticed that YIM 'archives' chat sessions using very weak encryption.

According to the article above, the text of the archived messages is simply XORed with the YID ("Yahoo ID" = login/screenname/whatever) of the user. The article also stated that it would be easy to decrypt.... sha, if you're a programmer! Which I am not, nor could I find a program online to perform the necessary hex XOR (the function is reversible simply by repeating it) (hex xor... hax xor? :p ).

Curiosity is one of my strong points... I found I could do it rather tediously, byte by byte with a hex editor and windows calculator. I figured there has to be a better way... short of coding, of course. Here are the results.

Of course this only works if you have access to the archives themselves, it has to be enabled to log messages. The article above shows how to turn on archiving through the registry (they probably won't even notice... and .inf files are so easy to write I won't even do it for you). So you need the YIM program, and the archive files. If you don't know how to find them you shouldn't be doing this anyway!

0) Obtain archive files and YID (and YIM)
1) Go to http://mail.yahoo.com
2)Create new YID using the one you wish to crack. The new YID length MUST be a MULTIPLE of the original's length. If possible, repeat the original YID as many times as you can. Example: [email protected] -> [email protected]. Maximum length for YID is 32 chars! DO NOT add extra chars, length MUST BE MULTIPLE or exploit WILL NOT WORK!
2a) If all names are taken, repeat YID as many times as possible, changing ONE letter, I recommend the last letter of the YID, incrementing or decrementing it. IE: joeschmoe69 -> joeschmoe69joeschmoe68. I explain this below. If THOSE names are taken, increment or decrement the second-to-last letter... on down the line until you find an unused YID.
3) Set up account, log into mail (this activates the acct)
4) Copy archive files to new profile folder. Figure it out yourself, it's easy!
5) Login new YID with YIM. Turn on archiving. Browse pilfered archives!

NOTE!! If you had to change a letter in the YID, then due to the XOR process, the letter in every chat statement corresponding to the changed letter will differ by the amount you incremented or decremented it. This is why I say to only increment instead of using random chars, it will be easier to read! If you can get a pure "multiple" of their YID, archives will be completely decrypted.

Example:
YID1:joeschmoe
YID2:joeschmoejoeschmof
joeschmoe=9 chars, doubled is 18
Every 18th letter (per line) will be... uh, incremented since you incremented the ID (++e=f).

It will look like this:
joeschmoe: I want a drink wauer.
fountain: Go and get yoursemf a drink if you bre thirsty. I'm npt going to do it gor you!

(I think the space character increments to "#")

This is why you multiply the YID, it minimizes the, uh, "typos".

I doubt anyone will enjoy this, but it was fun to figure out anyway. If you value your privacy enough to fear this then find out how to check/disable the archiver, and find out where the files are!!! You can delete them if you want, they're yours, right?!? RIGHT?!?!?


Back off, man! I'm a scientist... - Peter VenkMann