An interesting post slipped through on Friday from the Official Messenger Blog (http://blog.messenger.yahoo.com/). This is one of the few posts that has some meat to it and it basically outlines what the future of Yahoo! chat rooms are (the title is “Chat rooms: State of the Union”, I like it). According to Yahoo!, the entire backend of the servers has been rebuilt from the ground up. Hopefully they also incorporated security into their software life cycle which would make many of the common problems disappear. There is also a war against bots, and a MAC platform addition.
Two quick commentary points. Perhaps this is why the current chat rooms have fallen into a state of disrepair. The developers were focusing on getting the new version going and simply neglected the current build. With the next version going live soon, the developer should be more focused in keeping the rooms in good condition. This brings me to my second observation. “Though Yahoo! is a big company with over 10,000 employees around the world, a very small number of them work on our chat rooms; in fact you can count them on one hand.” The last time I checked the most this could be is five. It looks to me that Messenger and chat is severely understaffed. With five people I will make the following guess: one is a graphics art person, one is a manager, one IT person, and two developers. With such a large footprint as chat has, it is hard to believe that this team has even had time to keep the servers running. I hope this is a good sign that chat will clean up but I will not make too many bets at the present.
I just added a program that I created called YCC IM View. It basically dumps the HTML that is held in the IHTMLDocument2 object that displays the IM conversation. Or in other words, the IM conversation window is actually an instance of Internet Explorer.
The first time I looked at the HTML I was stunned at how much information is contained there. There is almost 100k of information that is held in the CSS and JavaScript alone. Of course the first thing that popped into my mind was how can I exploit this? The bad thing is I am useless when it comes to JavaScript and CSS. I have attached a sample of one of my dump sessions if you don’t want to look at it yourself (ycoderscookbook.com/Files/documentElement.innerHTML.txt). Anyone that is interested should let me know what you find!
I think I made a big plunge today. I posted YCC Trainer to CodeProject (http://www.codeproject.com/). The direct link is http://www.codeproject.com/useritems/YCC_Trainer.asp.
I haven’t added much to the site for the past two weeks but that is because I have been busy coding. Here are the two things that I am currently working on.
1. Adding the facility to YCC Trainer to determine the IP address of any user. I have figured out the algorithm Yahoo! uses to send the IP between clients. There will be more on this later.
2. Did you know that the standard IM window is basically Internet Explorer? I am working on a way to dump the HTML out of a given IM window. I have already done this partially and I have found some very interesting results. Along with all the text that is typed into a window, there is a huge amount of JavaScript and CSS formatting. I think this is the place all the text formatting takes place and not in the Messenger program. In a way we do have the code that determines formatting and we can now audit it for any “defects.” A program that will let you do this on your own is coming soon also.
Happy Mother’s Day to everyone.
That’s right Uncle Tansqrx what’s you to help out in the crusade to liberate Yahoo! Messenger information. I don’t know if I really made this clear before or not but I always had the intention of making this a community site. This shouldn’t be the Tansqrx show.
You have seen the basic outline of the site and what I am expecting in terms of the content. Now I need your content. I would love to see some of you submit tutorials and even code to be archived on Yahoo! Coder’s Cookbook. Let take for example an email I received today. A fellow Yahoo! explorer asked about how Messenger stored the password locally. I haven’t really looked at this problem in over a year but it is still a very interesting question that needs to be answered. Now if he comes back in a few months with a good answer then I would hope he would type up a short essay and send it in. I would then add a link to it on the tutorial page.
Do you specialize in booters? Type up a paper and send it to me. Like to mess about in the chat rooms? Type up a paper and send it to me. Know what the webcam protocol is? Type up a paper and send it to me.
All I ask are a few simple rules:
•Treat this as an academic research paper. It doesn’t have to be your idea but please document your source.
•Proper grammar (to the extent that any computer geek can go to).
•Well formatted and thought out.
Today Yahoo! announced a whole new way to communicate using Messenger. It’s the “all-new Web-based Yahoo! Instant Messenger.” Ohh wait a minute, wasn’t there already a web version of Yahoo! Messenger?
Despite the fact that the official press release (http://yodel.yahoo.com/2007/05/02/yahoo-messenger-hold-the-download) makes this out to be something completely new, a web version of Messenger has been around for years. I of course will be the first to admit that the old version was so bad that I would like to forget about it too. With the bad taste of my previous experience aside, I was egger to try out this new user experience. I was even more excited to see what it had under the hood and if this is the magic and mystical thing that has brought the servers down for the past few months.
After logging in via the standard web password system I was greeted with a split view of my contacts on the left and a window on the right where my messages are displayed. To the top of the contact list is options for easily changing your status. When a new message is received, it is granted its own tab in the right window. The whole experience has a feel of refinement and some really good programming. As with other Web 2.0 applications, I believe Yahoo! is using Ajax.
An interesting new feature is the history. Apparently now all conversation history is saved on the server just like your contact list.
“IM conversations with your friends can now be saved in your Yahoo! account on Yahoo! servers. This means you can access and search your message history from any computer – just like email! Other users may use this message history feature to save conversations with you in their accounts on Yahoo! too.”
From the press release: “Here’s something I have been waiting to say for a long time… Yahoo! Messenger: Fast, Easy, Beautiful, and now with no download! Again, no download.” I will have to admit it is very nice but I can’t say I will not be installing the next version of Messenger. Although the web version looks pretty it still can not do a lot of the heavy lifting. The two big features that are missing are voice and webcam. Aren’t these two of the biggest features that distinguishes Yahoo! from the other major players? Another thing is this is still in the beta phase and it shows sometimes. While testing it out I had a few messages that were lost in the ether.
I can see some use for this new toy but I will still be signing into my regular PC based application for the foreseeable future. I have on occasions had to use the previous web messenger and I will have to say that this is (at least) 30 times better.
A few closing questions:
•Yahoo! posted previously that May 14 was going to be the day that the servers would stop acting funny. Is this what they were preparing for?
•Since the history is saved on the servers now, will we see a new version of traditional Messenger with the feature also?
•Will a new version of protocol be released for the history?
•And last but not least, what does this mean for security? Will this be another vector for bots and the like?
Since I posted my original comments I had a chance to do some packet sniffing. Apparently Web Messenger is nothing like I expected. It actually communicates very similarly to the traditional Messenger. I also have to take my previous assumption of Ajax back because it now looks like a Flash based application (.swf).
The communication is done through a HTTP POST method that has the following payload.
1^$User^$5^$recipiant^$241^$0^$14^$^a[#0B333CmTest of the system^$
On close inspection you can see that this is a YMSG 6 packet (the same of the regular Messenger). It also has the same payload structure such as 1 for current user, 5 for the recipient, and 14 for the message. The only big differences I can see is the Version is 102 and VendorID is 402.
P.S. Another interesting fact is this is not protected by SSL (https).
Even though I have been dealing with computers for a long time, there are a few things that still surprise me. The latest was when a friend IMed me about a possible vulnerability in Messenger. It was only a theory but it sounded interesting and worth the research. Here is what you do:
1. Open Notepad
2. Type “this app can break” without the quotes
3. Save
4. Reopen the file
At this point you should be presented with a string of boxes which translate into garbage. The first time I saw this I was amazed and I was very excited to get to the bottom of the problem. If this is a new bug then it could open up some very interesting doors. Better yet I may be able to adapt it to Messenger.
I sadly found out that this is one of those oddities that have been around since the creation of Windows. Notepad is not natively aware of Unicode and as a consequence it must use some API trickery to see if the file being opened is Unicode or not. Notepad calls an API called IsTextUnicode (http://msdn2.microsoft.com/en-us/library/ms776445.aspx). This API returns a value indicating what format the file is in. The problem is this is not perfect and sometimes returns the wrong format. This is what is happening with Notepad. You can also note that the same phrase will work properly in WordPad or Microsoft Word because these applications are Unicode aware and do not call the IsTextUnicode API.
A great posting about this can be found at Aftermarket Pipes (http://apipes.blogspot.com/2006/06/this-api-can-break.html) and Jordo Media (http://www.jordomedia.com/RSS/l_op=viewrss/lid=56640.html). A IsTextUnicode specific discussion is at Sorting It All Out (http://blogs.msdn.com/michkap/archive/2005/01/30/363308.aspx).
Sadly I don’t think this oddity will be of any use for the original excitement. After quite a bit of research I could not find a way that this could be used in an “unexpected” way. Even if it could, it appears to be a fairly well known bug and I am sure that I’m not the first one to get excited about it. The finial nail in the coffin is Yahoo! Messenger uses the IE ActiveX COM to display the data. Just like WordPad, IE is Unicode aware and this little trick will not work.
Back to the drawing board. This was an excellent tip and I want to think my friend, Arab Control Agency, for it. If you have any other “oddities” that you would like to mention please let me know and I will eagerly investigate them.
Version 1.1.0 of YCC Trainer has just been posted. It still has a lot of bugs but is far superior to the previous version. Once I get some more features I hope to send it to Code Project.
