[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [JDEV] Fwd: [BUGTRAQ] First reflections on security of MSN Messenger
So ... can anyone else connect to their AOL IM account this morning with MSN
Messenger?
All my attempts at connecting are being rebuffed with an incorrect password/login
does not exist error... even though I can connect to the accounts using a native
AOL IM client and a TOC AOL IM client..I've talked to a dozen other people
already.. same result.
It would be interesting if AOL has already found a way to detect that you are
using MSN Messenger and dropping the connection, so that all MSN Messenger
attempts to connect are rebuffed.
The first cyber war....???
Best,
Vijay-the-inveterate-IM-user
[Jer, others: if this is not of interest to the guys on this list, let me know
and I will shut up.]
elandrum@bigfoot.com wrote:
> To underline what Brian Mansell just posted a moment ago, I received this
> message from the BUGTRAQ list. I won't litter the list with anymore than this
> one message....
>
> Eliot Landrum
> elandrum@bigfoot.com
>
> Forwarded Message:
> > To: BUGTRAQ@securityfocus.com
> > From: Dmitri Alperovitch <dmitri@ENCRSOFT.COM>
> > Subject: First reflections on security of MSN Messenger
> > Date: Thu, 22 Jul 1999 03:40:35 -0400
> > -----
> <pre>
> Hi.
>
> Having just downloaded and briefly examined the newly released Microsoft's
> MSN Messenger,
> (Microsoft's alternative to ICQ, AIM and other instant messaging clients) I
> must say that Microsoft
> has not learn a single thing from serious security design mistakes made by
> other instant
> messengers. Here is a list of vulnerabilities that I have found in the
> first 30 minutes of using it:
>
> 1. Password (which is the same as your Hotmail e-mail password) and
> contact list are stored in
> the Registry (HKEY_CURRENT_USER\Identities).
> They are both stored as ASCII values in a binary field (Does
> Microsoft actually believe that
> such amateur trick is going to stop a serious hacker?)
>
> 2. The instant messages are sent unencrypted in MIME format. Curiously,
> there is a mention of
> "security software licensed from RSA Data Security, Inc" in the About
> box of the application
> and the program is apparently using Crypto API Hash functions for
> _something_ but it's unclear
> for which purpose. It might actually send a password hash, instead
> of the real password, in it's
> communication with the server, but I have not been able to check that
> yet.
>
> 3. The program is using Hotmail as its user base. So, if you do not have a
> Hotmail account,
> you apparently cannot use the program until you register one (nice
> marketing technique).
> However, this also presents a big security problem. Hotmail has a
> policy to terminate user
> accounts after 120 days of inactivity. So, you might find yourself in
> a situation where you've
> been unable to access your Hotmail account for 3 months and someone
> else has registered your
> account and is impersonating you on MSN Messenger!
>
> These are only the most noticeable problems that I've discovered by just
> examining program's
> operation, the registry, and very briefly looking at the packets sent by
> the program. A closer
> and more thorough examination of the packet exchange might reveal further
> and maybe even
> more serious security weaknesses.
>
> Yours truly,
>
> Dmitri Alperovitch
> Encryption Software - Developers of TSM for ICQ, an ICQ encryption add-on
> <a href="http://www.encrsoft.com">http://www.encrsoft.com</a>
> dmitri@encrsoft.com
>
> </pre>