Feeds

Major privacy hole in Windows/MSN Messenger

'Feature' introduces you and your friends to Web sites

  • alert
  • submit to reddit

Secure remote control for conventional and virtual desktops

A nifty feature in MSN and Windows Messenger which apparently was intended to identify IE users (without their knowledge or consent) on Microsoft Web sites can easily be abused by any Webmaster with a bit of Javascript or VBscript, a clever empiricist has discovered.

The feature allows anyone to obtain a surfer's Messenger username and those of his contacts, according to Richard Burton in a post Monday to the BugTraq mailing list.

Worse, if a username is not available, the e-mail address of the surfer and those of his contacts are displayed instead.

Only Microsoft.com, Hotmail.com and Hotmail.msn.com should be able to access the e-mail address of the surfer and his contacts -- which of course is bad enough. However, a piece of software could easily make a registry entry during installation which would allow an associated Web site to obtain full details from Messenger.

Using the registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MessengerService\Policies\Suffixes
a semi-malicious program could easily enable Web access by adding domain suffixes. According to Burton, the suffix can be as little as .org or .com, which would enable any Web site with that suffix to access your details.

By default, there are no suffixes listed in the registry, Burton says, but the Microsoft domains are hard-coded into Messenger, presumably to enhance the company's renowned devotion to customer service, or to accommodate the advertising industry in some backchannel manner.

Presently the only known, sure fix for IE users is to disable Messenger before visiting the Microsoft sites mentioned above. It would also be a good idea to check for entries under the above registry key, especially after installing software, Burton says.

On the plus side, we've had anecdotal reports from readers indicating that users of other browsrs like Opera, Mozilla and Netscape aren't affected. We've also heard that Trillian users are safe as well, even if they use IE. Finally, it appears that users of IE and Messenger can avoid revealing themselves by setting their browsers to prevent scripting ActiveX controls. All of this is preliminary, however, and we'll update as we get more information.

A simple demonstration of the Messenger hole feature can be found here. ®

Providing a secure and efficient Helpdesk

More from The Register

next story
Microsoft on the Threshold of a new name for Windows next week
Rebranded OS reportedly set to be flung open by Redmond
Business is back, baby! Hasta la VISTA, Win 8... Oh, yeah, Windows 9
Forget touchscreen millennials, Microsoft goes for mouse crowd
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Apple: SO sorry for the iOS 8.0.1 UPDATE BUNGLE HORROR
Apple kills 'upgrade'. Hey, Microsoft. You sure you want to be like these guys?
ARM gives Internet of Things a piece of its mind – the Cortex-M7
32-bit core packs some DSP for VIP IoT CPU LOL
Lotus Notes inventor Ozzie invents app to talk to people on your phone
Imagine that. Startup floats with voice collab app for Win iPhone
'Google is NOT the gatekeeper to the web, as some claim'
Plus: 'Pretty sure iOS 8.0.2 will just turn the iPhone into a fax machine'
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.