Feeds

Major privacy hole in Windows/MSN Messenger

'Feature' introduces you and your friends to Web sites

  • alert
  • submit to reddit

Choosing a cloud hosting partner with confidence

A nifty feature in MSN and Windows Messenger which apparently was intended to identify IE users (without their knowledge or consent) on Microsoft Web sites can easily be abused by any Webmaster with a bit of Javascript or VBscript, a clever empiricist has discovered.

The feature allows anyone to obtain a surfer's Messenger username and those of his contacts, according to Richard Burton in a post Monday to the BugTraq mailing list.

Worse, if a username is not available, the e-mail address of the surfer and those of his contacts are displayed instead.

Only Microsoft.com, Hotmail.com and Hotmail.msn.com should be able to access the e-mail address of the surfer and his contacts -- which of course is bad enough. However, a piece of software could easily make a registry entry during installation which would allow an associated Web site to obtain full details from Messenger.

Using the registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MessengerService\Policies\Suffixes
a semi-malicious program could easily enable Web access by adding domain suffixes. According to Burton, the suffix can be as little as .org or .com, which would enable any Web site with that suffix to access your details.

By default, there are no suffixes listed in the registry, Burton says, but the Microsoft domains are hard-coded into Messenger, presumably to enhance the company's renowned devotion to customer service, or to accommodate the advertising industry in some backchannel manner.

Presently the only known, sure fix for IE users is to disable Messenger before visiting the Microsoft sites mentioned above. It would also be a good idea to check for entries under the above registry key, especially after installing software, Burton says.

On the plus side, we've had anecdotal reports from readers indicating that users of other browsrs like Opera, Mozilla and Netscape aren't affected. We've also heard that Trillian users are safe as well, even if they use IE. Finally, it appears that users of IE and Messenger can avoid revealing themselves by setting their browsers to prevent scripting ActiveX controls. All of this is preliminary, however, and we'll update as we get more information.

A simple demonstration of the Messenger hole feature can be found here. ®

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
Be real, Apple: In-app goodie grab games AREN'T FREE – EU
Cupertino stands down after Euro legal threats
Download alert: Nearly ALL top 100 Android, iOS paid apps hacked
Attack of the Clones? Yeah, but much, much scarier – report
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
Microsoft: Your Linux Docker containers are now OURS to command
New tool lets admins wrangle Linux apps from Windows
Bada-Bing! Mozilla flips Firefox to YAHOO! for search
Microsoft system will be the default for browser in US until 2020
Facebook, working on Facebook at Work, works on Facebook. At Work
You don't want your cat or drunk pics at the office
Soz, web devs: Google snatches its Wallet off the table
Killing off web service in 3 months... but app-happy bonkers are fine
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
The Heartbleed Bug: how to protect your business with Symantec
What happens when the next Heartbleed (or worse) comes along, and what can you do to weather another chapter in an all-too-familiar string of debilitating attacks?