I just realized that the latest version of Yahoo! Messenger suffers from a vulnerability that allows a hacker to get your IP address.
Basically, if both the clients use the latest version of messenger and the victim responds to an IM from the attacker, the former’s IP address is shown in the netstat output of the latter. This is a very old vulnerability that was supposedly patched a long time ago, but has resurfaced in the latest version of the messenger software.
It appears that both the clients initiate a direct end-to-end connection whenever a conversation is begun. I have noticed this behavior when I communicate with some of my friends on messenger. I can see their IP address.
This is a serious issue, and I hope Yahoo! addresses it pretty soon.
2 replies on “Yahoo! Messenger reveals your IP address”