Security shortcomings in both ICQ instant messenger for Windows and the ICQ website create a possible mechanism for account hijacking, a security researcher warns [1].

Levent Kayan warns that the software fails to screen against the inclusion of JavaScript code in user-supplied status messages. The shortcoming means that this JavaScript code might be run on a victim's machine providing they are tricked into opening the booby-trapped status message using a vulnerable ICQ client.

The technique might be used to steal session cookies, enabling the hijacker to impersonate victims, or (with greater difficulty) to gain access to local files on a compromised PC. Kayan found a similar [2] cross-site scripting flaw involving Skype earlier this month.

Heise Security was able to reproduce the flaw discovered by Kayan using the current 7.5 version of ICQ. ICQ told [3] the security news site that it was in the process of developing and testing a security fix. ®

Links

1. http://noptrix.net/advisories/icq_cli_xss.txt
2. http://www.theregister.co.uk/2011/07/19/skype_xss_flaw_fix
3. http://www.h-online.com/security/news/item/ICQ-vulnerable-to-account-theft-Update-1286231.html

Related stories

• Google open sources JavaScript testing tools (30 September 2011)

  http://www.theregister.co.uk/2011/09/30/google_open_sources_javascript_testing_tools/

• Skype for iPhone makes stealing address books a snap (20 September 2011)

  http://www.theregister.co.uk/2011/09/20/skype_for_iphone_contact_theft/

• Skype bug may expose users to malicious code (22 August 2011)

  http://www.theregister.co.uk/2011/08/22/skype_security_bug/

• Skype/Facebook integration spawns hijack risk (1 August 2011)

  http://www.theregister.co.uk/2011/08/01/facebook_skype_security_bug/

• Skype: XSS vuln fix is on the way (19 July 2011)

  http://www.theregister.co.uk/2011/07/19/skype_xss_flaw_fix/

• ICQ chatted up by Russian billionaires (28 April 2010)

  http://www.theregister.co.uk/2010/04/28/icq_sold/