14 DAY TRIAL // Yahoo Messenger as a service may not be shutting down, but the desktop application is slated to be discontinued, as a security researcher found out when he reported a buffer overflow bug.
Julien Ahrens, a freelance security researcher, has uncovered a bug in Yahoo's Messenger Windows desktop client, which he privately reported to the company last year.
The bug (CVE-2014-7216) is a basic buffer overflow flaw which can be exploited when users install maliciously crafted emoticon packages.
A buffer overflow in Yahoo Messenger's emoticon module
According to Ahrens, "the application does not properly validate the length of the string of the 'shortcut' and 'title' key values before passing them as an argument to different lstrcpyW calls."
This triggers the buffer overflow, which can be exploited by attackers and allow them to execute malicious code on the user's machine. If the buffer overflow fails in any way, this results "in a denial-of-service condition" which crashes the application.
Ahrens discovered and documented this flaw in April 2014, but after five months of investigations by Yahoo staffers, the bug was categorized as "Won't fix" due to an upcoming EOL (End of Life).
Now, a year after his bug was ignored and still no updates have been released to the Yahoo Messenger Windows client, Ahrens decided to come public with his findings, doing nothing more than to confirm the sad state in which the once mighty and extremely popular Yahoo! Messenger client has come to be.
Yahoo! refused to pay the Bug Bounty program reward
Despite finding and properly disclosing the bug, Ahrens was not compensated for his security research in Yahoo's Bug Bounty program.
Quoting Yahoo's own Bug Bounty program rules, "Non-Web applications are generally not in scope. The only exception being Yahoo Messenger, Toolbar and email clients."
In a private conversation on Twitter, Yahoo justified its decision not to pay Ahrens because "they" seem to have changed their mind about Messenger and what it means to them. Maybe this explains why Yahoo keeps buying companies and services and shutting them down one or two years later.
Besides refusing payment for a bug that their own rules cover, Yahoo also threatened Ahrens not to publicly disclose the bug, otherwise he'll face a permanent ban from their Bug Bounty program. For a "freelance" security researcher, this is a big deal. His recent disclosure was made with the company's approval.
