0

Sending Messages: Security Issue?

Hi Folks,

do I understand the SDK documentation correctly? As soon as I am identified agains a YIM server, I can use the send message webservice and as little extra, I could use the token "-sendAs" to pretend to be the Queed of England / Caesar of China / President of the USofA / .....?
Is there no need to have certain rights to use that input field?
If so, that would explain a lot of spam I tend getting on YIM. Since some fraudulent party could create an Yahoo Account, get some user-ids, and just start sending messages of any of that user id.
If I read that correctly, that is a huge security hole.


Cheers for enlighting me, if I understood that correctly.

by
3 Replies
  • QUOTE (BoundInF @ May 6 2011, 10:43 PM) <{POST_SNAPBACK}>
    Hi Folks,

    do I understand the SDK documentation correctly? As soon as I am identified agains a YIM server, I can use the send message webservice and as little extra, I could use the token "-sendAs" to pretend to be the Queed of England / Caesar of China / President of the USofA / .....?
    Is there no need to have certain rights to use that input field?
    If so, that would explain a lot of spam I tend getting on YIM. Since some fraudulent party could create an Yahoo Account, get some user-ids, and just start sending messages of any of that user id.
    If I read that correctly, that is a huge security hole.


    Cheers for enlighting me, if I understood that correctly.


    Hi,
    The input field 'sendAs' is restricted to the yahooId identified by the credentials, and any associated Yahoo! aliases linked to that Yahoo account only.
    0
  • QUOTE (Vivek Aggarwal @ May 9 2011, 04:57 PM) <{POST_SNAPBACK}>
    Hi,
    The input field 'sendAs' is restricted to the yahooId identified by the credentials, and any associated Yahoo! aliases linked to that Yahoo account only.


    Sorry.. hit reply too soon..

    Hi,
    The value of the input field 'sendAs' is restricted to the yahooId identified by the credentials, and any associated Yahoo! aliases linked to that Yahoo account and currently logged into Messenger. The list of logged in active aliases is returned in the login response (POST /v1/session). The server will disallow and fail any attempts to violate this condition(s)..

    thanks,
    Vivek
    0
  • Thank you on that information. I think that information should be also noted in the documentation.
    0

Recent Posts

in Messenger IM SDK