Feeds

Major privacy hole in Windows/MSN Messenger

'Feature' introduces you and your friends to Web sites

  • alert
  • submit to reddit

Beginner's guide to SSL certificates

A nifty feature in MSN and Windows Messenger which apparently was intended to identify IE users (without their knowledge or consent) on Microsoft Web sites can easily be abused by any Webmaster with a bit of Javascript or VBscript, a clever empiricist has discovered.

The feature allows anyone to obtain a surfer's Messenger username and those of his contacts, according to Richard Burton in a post Monday to the BugTraq mailing list.

Worse, if a username is not available, the e-mail address of the surfer and those of his contacts are displayed instead.

Only Microsoft.com, Hotmail.com and Hotmail.msn.com should be able to access the e-mail address of the surfer and his contacts -- which of course is bad enough. However, a piece of software could easily make a registry entry during installation which would allow an associated Web site to obtain full details from Messenger.

Using the registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MessengerService\Policies\Suffixes
a semi-malicious program could easily enable Web access by adding domain suffixes. According to Burton, the suffix can be as little as .org or .com, which would enable any Web site with that suffix to access your details.

By default, there are no suffixes listed in the registry, Burton says, but the Microsoft domains are hard-coded into Messenger, presumably to enhance the company's renowned devotion to customer service, or to accommodate the advertising industry in some backchannel manner.

Presently the only known, sure fix for IE users is to disable Messenger before visiting the Microsoft sites mentioned above. It would also be a good idea to check for entries under the above registry key, especially after installing software, Burton says.

On the plus side, we've had anecdotal reports from readers indicating that users of other browsrs like Opera, Mozilla and Netscape aren't affected. We've also heard that Trillian users are safe as well, even if they use IE. Finally, it appears that users of IE and Messenger can avoid revealing themselves by setting their browsers to prevent scripting ActiveX controls. All of this is preliminary, however, and we'll update as we get more information.

A simple demonstration of the Messenger hole feature can be found here. ®

Beginner's guide to SSL certificates

More from The Register

next story
Download alert: Nearly ALL top 100 Android, iOS paid apps hacked
Attack of the Clones? Yeah, but much, much scarier – report
NSA SOURCE CODE LEAK: Information slurp tools to appear online
Now you can run your own intelligence agency
Microsoft: Your Linux Docker containers are now OURS to command
New tool lets admins wrangle Linux apps from Windows
First in line to order a Nexus 6? AT&T has a BRICK for you
Black Screen of Death plagues early Google-mobe batch
Microsoft adds video offering to Office 365. Oh NOES, you'll need Adobe Flash
Lovely presentations... but not on your Flash-hating mobe
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
prev story

Whitepapers

Designing and building an open ITOA architecture
Learn about a new IT data taxonomy defined by the four data sources of IT visibility: wire, machine, agent, and synthetic data sets.
5 critical considerations for enterprise cloud backup
Key considerations when evaluating cloud backup solutions to ensure adequate protection security and availability of enterprise data.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Business security measures using SSL
Examines the major types of threats to information security that businesses face today and the techniques for mitigating those threats.