[JDEV] Fwd: [BUGTRAQ] First reflections on security of MSN Messenger

Vijay Saraswat vj at research.att.com
Fri Jul 23 06:13:23 CDT 1999


So ... can anyone else connect to their AOL IM account this morning with MSN
Messenger?

All my attempts at connecting are being rebuffed with an incorrect password/login
does not exist error... even though I can connect to the accounts using a native
AOL IM client and a TOC AOL IM client..I've talked to a dozen other people
already.. same result.

It would be interesting if AOL has already found a way to detect that you are
using MSN Messenger and dropping the connection, so that all MSN Messenger
attempts to connect are rebuffed.

The first cyber war....???

Best,
Vijay-the-inveterate-IM-user

[Jer, others: if this is not of interest to the guys on this list, let me know
and I will shut up.]

elandrum at bigfoot.com wrote:

> To underline what Brian Mansell just posted a moment ago, I received this
> message from the BUGTRAQ list. I won't litter the list with anymore than this
> one message....
>
> Eliot Landrum
> elandrum at bigfoot.com
>
> Forwarded Message:
> > To: BUGTRAQ at securityfocus.com
> > From: Dmitri Alperovitch <dmitri at ENCRSOFT.COM>
> > Subject:      First reflections on security of MSN Messenger
> > Date:         Thu, 22 Jul 1999 03:40:35 -0400
> > -----
> <pre>
> Hi.
>
> Having just downloaded and briefly examined the newly released Microsoft's
> MSN Messenger,
> (Microsoft's alternative to ICQ, AIM and other instant messaging clients) I
> must say that Microsoft
> has not learn a single thing from serious security design mistakes made by
> other instant
> messengers.  Here is a list of vulnerabilities that I have found in the
> first 30 minutes of using it:
>
> 1.  Password (which is the same as your Hotmail e-mail password) and
> contact list are stored in
>       the Registry (HKEY_CURRENT_USER\Identities).
>       They are both stored as ASCII values in a binary field (Does
> Microsoft actually believe that
>        such amateur trick is going to stop a serious hacker?)
>
> 2. The instant messages are sent unencrypted in MIME format.  Curiously,
> there is a mention of
>       "security software licensed from RSA Data Security, Inc" in the About
> box of the application
>       and the program is apparently using Crypto API Hash functions for
> _something_ but it's unclear
>       for which purpose.  It might actually send a password hash, instead
> of the real password, in it's
>       communication with the server, but I have not been able to check that
> yet.
>
> 3. The program is using Hotmail as its user base. So, if you do not have a
> Hotmail account,
>       you apparently cannot use the program until you register one (nice
> marketing technique).
>       However, this also presents a big security problem.  Hotmail has a
> policy to terminate user
>       accounts after 120 days of inactivity. So, you might find yourself in
> a situation where you've
>       been unable to access your Hotmail account for 3 months and someone
> else has registered your
>       account and is impersonating you on MSN Messenger!
>
> These are only the most noticeable problems that I've discovered by just
> examining program's
> operation, the registry, and very briefly looking at the packets sent by
> the program.  A closer
> and more thorough examination of the packet exchange might reveal further
> and maybe even
> more serious security weaknesses.
>
> Yours truly,
>
> Dmitri Alperovitch
> Encryption Software - Developers of TSM for ICQ, an ICQ encryption add-on
> <a href="http://www.encrsoft.com">http://www.encrsoft.com</a>
> dmitri at encrsoft.com
>
> </pre>




More information about the JDev mailing list