on the local machine

Application affected: Yahoo! Messenger ver. 5.x - 6.0 (all builds) Windows, *Nix/Mac
? (not tested)

Proof-of-Concept included: Yes
Fix Available: Yes (temporary)

Description: By activating the ''Logfile'' feature in Yahoo! Messenger a person (perhaps unauthorized) is able to secretly log and view virtually all communications sent and received by Yahoo! Messenger from all IDs logged into Messenger on the local computer. Awareness of this logging is virtually none unless this feature is exclusively known about beforehand by the users and they know exactly where to look for the feature's presence (not likely). When using this feature you may be susceptible to privacy breaches and increased risk for potential remote DoS
attacks to be launched successfully.

Solution (temporary):

Set ypager.log permissions to Read-only or check for the logging when Messenger is started up each time it's used from a shared computer using the URL handler to disable it when signing in. Deleting the file before Messenger is started won't help as the file is recreated (it's needed even if the Logfile feature is disabled) if it isn't found in the Messenger folder.

Complete details in http://www.securityfocus.com/archive/1/398456/2005-05-15/2005-05-21/0