mailing list archives
MSN Messenger Hijacking
From: Tom Gilder <tom () tom me uk>
Date: Sat, 9 Feb 2002 20:34:51 +0000
MSN MESSENGER HIJACKING
Security bulletin by Tom Gilder and Thor Larholm
Published February 9th 2002
There has recently been reported some privacy problems (see
http://www.securityfocus.com/bid/4028) in MSN
Messenger. However, these problems pale in comparison to what can be
done if you use MSN Messenger through unpatched IE vulnerabilities.
Using these, a malicious programmer can easily hijack the MSN
Messenger client from a user, allowing him/her (among others) to
silently and automatically read their contact list (harvesting email
addresses) and impersonate the user by sending arbitrary messages,
email or local files to anyone.
The victim would be unaware of any such action, and the malicious
programmer would in practice be impersonating himself as the victim
towards the MSN Messenger client, allowing him/her to do anything with
MSN Messenger that the victim would normally be able to.
For an example on how this can be exploited, visit the hijacking
demonstration page at http://tom.me.uk/msn/demo.html.
To summarize, this is not made possible by a bug in the MSN Messenger
client. This vulnerability is made possible by the "document.open" bug
discovered by "The Pull" (http://www.osioniusx.com/), which has been
left unpatched for nearly two months now - see the SecurityFocus page at
http://www.securityfocus.com/bid/3721 for more information.
However, this would never have been an issue if the MSN Messenger
client had incorporated some other kind of authentication than DNS
This example has been made public to put pressure on MS to patch their
vulnerabilities, that they are fully aware of.
Many more unpatched vulnerabilities currently exist in IE - for a full
list see http://jscript.dk/unpatched/.
This exploit has so far been confirmed to work on:
* Windows 98 SE with IE6 final (fully patched as of Feb 9) and
MSN Messenger 4.6.0073
* Windows 98 SE with IE6 final and MSN Messenger 3.6.0024
* Windows ME with IE6 final (fully patched as of Feb 9) and MSN
* Windows 2000 with IE6 final (fully patched as of Feb 9) and MSN
* Windows 2000, IE5.5, MSN Messenger 4.6.00.73
It is so far believed to be working in any version of the MSN
Messenger client on any OS, though this remains unconfirmed due to a
lack of varied test configurations.
List of unpatched IE6 vulnerabilities - http://jscript.dk/unpatched/
MSN Messenger - http://messenger.msn.com/
Hijacking demonstration page - http://tom.me.uk/msn/demo.html
Microsoft Internet Explorer - http://www.microsoft.com/windows/ie/default.asp
SecurityFocus - http://www.securityfocus.com/
The Pull - http://www.osioniusx.com/
Microsoft Recalls Botched Browser Security Patch - http://www.newsbytes.com/news/02/174365.html
Microsoft works to fix MSN privacy flaw - http://news.com.com/2100-1001-833154.html
document.open bug on SecurityFocus - http://www.securityfocus.com/bid/3721
MSN Messenger privacy problems on SecurityFocus - http://www.securityfocus.com/bid/4028
tom () tom me uk
- MSN Messenger Hijacking Tom Gilder (Feb 09)