The new Yahoo messenger v9.0 uses ymsg 16 protocol. For login process client sends username and password to yahoo login server: https://login.yahoo.com, and in response server sends Token which is then used for client authentication process on scs.msg.yahoo.com:5050
This login process goes through multiple steps as follows..
Step 1: Send username and password to login server
Https request url:
https://login.yahoo.com/config/pwtoken_get?src=ymsgr&login=<username>&passwd=<password>
Https response and meaning:
Invalid username : 1235
Wrong password : 1212
Information Valid : 0 ymsgr= <token>partnerid=<pid>
data is used in step 2 for further processing.
Note: and seem to appear in pair for given username and password
Step 2: Send token to login server
Https request url:
https://login.yahoo.com/config/pwtoken_login?src=ymsgr&token=<token>
Https response and meaning:
Invalid ymsgr : 100
Information Valid : 0 crumb=<crumb> Y=<Y-Cookie> T=<T-Cookie> cookievalidfor=
<crumb>, <Y_Cookie>, <T_Cookie> and <B_Cookie> are used in client authentication on receiving challenge string from Pager server.
Note: is received in header of the reponse.
Step 3: After receiving challenge string from pager server
When client receives challenge string from pager server, it sends encrypted response to server. This response is formed using received in Step 2 and challenge received from pager server.
Process for forming response:
crypt = crumb + challenge
hash = MD5(crypt)
response = BASE64(hash)
replace ‘+’ by ‘.’ in response
replace ‘/’ by ‘_’ in response
replace ‘=’ by ‘-’ in response
Client sends this calculated response for received challenge along with <Y_Cookie>, <T_Cookie> and <B_Cookie>.
