lately i've been reading some way of hacking yahoo messenger. youtube, hacking forums, and etc, i've been there to ask and to learn how to hacking it. but i've been wondering every now and then while reading and watching those posted videos and scripts, but they are not working. For real, is there any way to hack yahoo messenger?

I suppose there are. tansqrx here is an expert at Yahoo! exploits and vulnerabilities. Although his motives are constructive and are aimed at finding exploits and bringing them to the notice of Yahoo. You can drop by his site http://ycoderscookbook.com to find out more.

Of course there are ways to hack Yahoo! Messenger but are you willing to take the time? For all of Yahoo’s faults, having a long patch time is not one of them. In other words Yahoo! will issue a fix for any given vulnerability within a few days and a mandatory update within a week. This means that once a problem (critical security) comes to Yahoo’s attention you don’t have very much time to react and take advantage of the problem.

This means that those “hacks” on the hundreds of nukePHP boards may have worked 5 years ago but unless they are truly zero-day you will not get anything from them. The only meaningful way to hack Messenger is to come up with an exploit yourself. This takes work and I myself have had a lot of fun researching but I wouldn’t expect to get anything in under 3 months of hard research. As my friend turbomax has said I run a quite little site at ycoderscookbook.com just about this sort of thing. If you are truly interested, stop by the forums and ask some questions. I may not have as many members as some of those other sites but when it comes down to the actual programming aspect of Yahoo! Messenger, I think this is the place to visit.

I will get a list of things together later for you to look into. Is there any one thing that you are trying to “hack”? Are you trying to get into someone else’s account, see if a contact is invisible, or perhaps something else?

I really hope everything goes Jabber like google talk. Open source protocols are teh awesome. I hate that my IM client has to reverse-engineer the protocol every time they change something.

At least AIM is being nicer about it by releasing an API.

It is not that hard to work with YMSG protocol. The initial learning phase is the most important one. Any changes they make are easy to adapt to. All you have got to do is use Ethereal or similar software to monitor the conversations between Yahoo! Messenger and the server.

I suppose the preference of chat clients is personal but I never cared for Google talk very much. I also don’t think that just because a product or protocol is open source it is the best on the market. In the end it comes down to the fact that most of my friends are on Yahoo! so I am also on Yahoo!

In keeping with the original discussion, here are some good starting points for getting into the exploit business. I had a user post a similar question on my site and this is part of my response.

Discovering exploits is not exactly an easy task. It usually takes a lot of time and a fair bit of programming skill and knowledge. I certainly don’t want to discourage you but I want to prepare you for what you are facing. I have never personally found a useable exploit for Messenger but I haven’t been trying lately either. Here is a little bit of information to get you started.

• In the past year there have only been around 5 exploits for Messenger found and there have been a lot of people looking.
• Finding exploits may be hard but the result is usually very distinctive. You will usually have a program crash where the program tries to access restricted memory. From the crash work your way back to see what caused it.
• Messenger has been beat on for many year so all the low hanging fruit has been picked. You should look at some of the newer features like phone.
• For all of Yahoo’s faults, one thing they do well is patch exploits and security vulnerabilities quickly. Once an exploit goes public you usually have less than a week to use it before a mandatory patch is issued.
• There is no magic exploit program, if there were then I would have already used it and the program would be useless to you. There are several programs that you should gather, one particular class of programs are called fuzzers. They basically throw junk data at a program until it crashes.
o http://en.wikipedia.org/wiki/Fuzz_testing
o http://peachfuzz.sourceforge.net/
o http://www.metasploit.com/users/hdm/tools/axman/
• You will also need disassembly tools.
o IDA Pro - http://www.datarescue.com/
o OllyDbg - http://www.ollydbg.de/
o Debugging Tools for Windows - http://www.microsoft.com/whdc/devtools/deb...ng/default.mspx
• Another good addition is a good virtual machine to separate you activites from your main desktop.
o VMWare – http://www.vmware.com/
• A good place to start is watch for 0-day exploits from others and study old exploits. You can download older versions of Messenger from many different places to see how the older ones operate. Watch for new exploits on some of the more popular security list such as Bugtraq at http://www.securityfocus.com/archive/1
• You should also read some books about exploits. One that I recommend starting with is The Shellcoder's Handbook: Discovering and Exploiting Security Holes.

I hope this gets you started. Let me know if you need any more information and remember that there is no silver bullet or quick solution to what you asked.

I'm not knocking yahoo, or implying that something is better by virtue of being open source. I'm just saying that Yahoo would be vilified alot less often if they opened up their protocol and published the specifications. Their target demographic of computer-illiterates will use their ad-ridden client anyway, (and the rest of us will settle for reduced functionality in Adium/Trillian/Pidgin/whathaveyou), whether there's another option or not; so it doesn't even impact yahoo's revenue model.

I guess it all comes down to the cultural values of the company, Yahoo! and Google in this case. I think of Yahoo! as the old media and Google as the new media in the way they think. Google is more open to experimenting with free and realizing they will still get some profit. Yahoo! is more conservative thinking because they can’t quite get over loosing some of their revenue.

I also think the YMSG protocol is still closed because of some historical reasons. Messenger was created before Google made the grand proclamation that everything should be open source. YMSG was born in the era where closed source was the standard and by the very nature of it birth it has a hard time going open. You still have some managers and programmers that have been working on messenger for ten years. It’s always been that way and there is no need to change in their mind.

Both views have valid points. In the end I am not overly concerned that YMSG is a closed protocol. As long as I have a network protocol analyzer at my disposal I will be able to figure out what is going on under the hood. It is very selfish for me to say this but I would hate to see Yahoo! go open because I would loose some of my clout as being one of the few sites that publish YMSG data.

you can hack into anything. if you understand the programing of yahoo messenger you can "hack it"