Windows Messenger Security Issue Revealed?!
Posted by: [PM] on: 02/05/2002 05:49 PM [ Print | 0 comment(s) ] · 779 views
According to a BugTraq Mailing List Archive post by Richard Burton the messenger software MSN Messenger (and Windows Messenger on XP)
can be used to obtain personal information about a
user from any website (in any domain).
Read more...
Using java script a user's display name can be obtained from Messenger, as well as the display names of all their contacts. For users who have a sensible and accurate display name this should be considered a privacy issue. (Note: anyone who has not set a display name at all, will reveal their email address instead.) Using the same technique web sites hosted on certain domains (microsoft.com, hotmail.com & hotmail.msn.com) can also access the email address of the user (along with the email addresses of all their contacts). This could be used by Microsoft to track users on their sites, which many would consider to be a privacy issue. In addition to the three domains mentioned above, additional domains can be allowed access to the email addresses with a single registry entry. This registry entry could be made by spyware/adware installed by a user (sometimes unknowingly along with a piece of shareware). Once there you have the potential to give your email address to any site that requests it and places it in a cookie. Technical Info: Microsoft designed Messenger to allow functionality to be used in webpages using java script or vb script . This includes the ability to view the display name and email address of the user and their contacts. In an attempt to protect users only a certain selection of sites can use script to get email addresses, but all can get display names. The list of domain suffixes that have full access to Messenger functionality (email addresses & more?) can be found in the registry in key "HKEY_LOCAL_MACHINE SOFTWARE Microsoft MessengerService Policies Suffixes".
Values "Suffix0", "Suffix1", etc. By default there are no entries in the list, but they can be added. E.g. adding value Suffix0 = "test.com" will give web sites in the test.com domain full access to Messenger information. Full domains do not have to be specified in the list, adding "com" would allow all .com sites to have full access. Although by default there are no entries in this list, three domains (listed above) are hard coded into Messenger for the same purpose. These allow Microsoft to make their sites (e.g. Hotmail) look nice by integrating messenger features into them. The user cannot remove the special status applied to these sites. The only way for a user to prevent sites having any access to their information is by logging out of Messenger before visiting. For a simple how-to, just look at the source of the demonstration page given below. Test your Messenger
Using java script a user's display name can be obtained from Messenger, as well as the display names of all their contacts. For users who have a sensible and accurate display name this should be considered a privacy issue. (Note: anyone who has not set a display name at all, will reveal their email address instead.) Using the same technique web sites hosted on certain domains (microsoft.com, hotmail.com & hotmail.msn.com) can also access the email address of the user (along with the email addresses of all their contacts). This could be used by Microsoft to track users on their sites, which many would consider to be a privacy issue. In addition to the three domains mentioned above, additional domains can be allowed access to the email addresses with a single registry entry. This registry entry could be made by spyware/adware installed by a user (sometimes unknowingly along with a piece of shareware). Once there you have the potential to give your email address to any site that requests it and places it in a cookie. Technical Info: Microsoft designed Messenger to allow functionality to be used in webpages using java script or vb script . This includes the ability to view the display name and email address of the user and their contacts. In an attempt to protect users only a certain selection of sites can use script to get email addresses, but all can get display names. The list of domain suffixes that have full access to Messenger functionality (email addresses & more?) can be found in the registry in key "HKEY_LOCAL_MACHINE SOFTWARE Microsoft MessengerService Policies Suffixes".
Values "Suffix0", "Suffix1", etc. By default there are no entries in the list, but they can be added. E.g. adding value Suffix0 = "test.com" will give web sites in the test.com domain full access to Messenger information. Full domains do not have to be specified in the list, adding "com" would allow all .com sites to have full access. Although by default there are no entries in this list, three domains (listed above) are hard coded into Messenger for the same purpose. These allow Microsoft to make their sites (e.g. Hotmail) look nice by integrating messenger features into them. The user cannot remove the special status applied to these sites. The only way for a user to prevent sites having any access to their information is by logging out of Messenger before visiting. For a simple how-to, just look at the source of the demonstration page given below. Test your Messenger
« Maxtor Goes USB 2.0 & Firewire! · Windows Messenger Security Issue Revealed?!
· Intel Introduces L3 Cache On Die With McKinley Processor! »
