[JDEV] Fwd: [BUGTRAQ] First reflections on security of MSN Messenger
Vijay Saraswat
vj at research.att.com
Fri Jul 23 06:13:23 CDT 1999
So ... can anyone else connect to their AOL IM account this morning with MSN
Messenger?
All my attempts at connecting are being rebuffed with an incorrect password/login
does not exist error... even though I can connect to the accounts using a native
AOL IM client and a TOC AOL IM client..I've talked to a dozen other people
already.. same result.
It would be interesting if AOL has already found a way to detect that you are
using MSN Messenger and dropping the connection, so that all MSN Messenger
attempts to connect are rebuffed.
The first cyber war....???
Best,
Vijay-the-inveterate-IM-user
[Jer, others: if this is not of interest to the guys on this list, let me know
and I will shut up.]
elandrum at bigfoot.com wrote:
> To underline what Brian Mansell just posted a moment ago, I received this
> message from the BUGTRAQ list. I won't litter the list with anymore than this
> one message....
>
> Eliot Landrum
> elandrum at bigfoot.com
>
> Forwarded Message:
> > To: BUGTRAQ at securityfocus.com
> > From: Dmitri Alperovitch <dmitri at ENCRSOFT.COM>
> > Subject: First reflections on security of MSN Messenger
> > Date: Thu, 22 Jul 1999 03:40:35 -0400
> > -----
> <pre>
> Hi.
>
> Having just downloaded and briefly examined the newly released Microsoft's
> MSN Messenger,
> (Microsoft's alternative to ICQ, AIM and other instant messaging clients) I
> must say that Microsoft
> has not learn a single thing from serious security design mistakes made by
> other instant
> messengers. Here is a list of vulnerabilities that I have found in the
> first 30 minutes of using it:
>
> 1. Password (which is the same as your Hotmail e-mail password) and
> contact list are stored in
> the Registry (HKEY_CURRENT_USER\Identities).
> They are both stored as ASCII values in a binary field (Does
> Microsoft actually believe that
> such amateur trick is going to stop a serious hacker?)
>
> 2. The instant messages are sent unencrypted in MIME format. Curiously,
> there is a mention of
> "security software licensed from RSA Data Security, Inc" in the About
> box of the application
> and the program is apparently using Crypto API Hash functions for
> _something_ but it's unclear
> for which purpose. It might actually send a password hash, instead
> of the real password, in it's
> communication with the server, but I have not been able to check that
> yet.
>
> 3. The program is using Hotmail as its user base. So, if you do not have a
> Hotmail account,
> you apparently cannot use the program until you register one (nice
> marketing technique).
> However, this also presents a big security problem. Hotmail has a
> policy to terminate user
> accounts after 120 days of inactivity. So, you might find yourself in
> a situation where you've
> been unable to access your Hotmail account for 3 months and someone
> else has registered your
> account and is impersonating you on MSN Messenger!
>
> These are only the most noticeable problems that I've discovered by just
> examining program's
> operation, the registry, and very briefly looking at the packets sent by
> the program. A closer
> and more thorough examination of the packet exchange might reveal further
> and maybe even
> more serious security weaknesses.
>
> Yours truly,
>
> Dmitri Alperovitch
> Encryption Software - Developers of TSM for ICQ, an ICQ encryption add-on
> <a href="http://www.encrsoft.com">http://www.encrsoft.com</a>
> dmitri at encrsoft.com
>
> </pre>
More information about the JDev
mailing list