[UNTRUE] Gadu-Gadu supposedly fixed the invisible detection vulnerability?
From: Maciej Soltysiak (maciej_at_soltysiak.com)
Date: 08/30/05
- Previous message: Marc Ruef: "e107 0.6 forum_post.php create new topics in non-existing forums"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 30 Aug 2005 12:45:33 +0200 To: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
Hello,
=== Introduction ===
Today some services announced that Gadu-Gadu company fixed the
vulnerability in their servers that was used by software plugins
like "Inwigilator" from the Power Project, et. al. to detect
whether a user of the IM program is Unavailable or Invisible.
=== What is untrue ===
I am not aware what technique is used by these plugins, but
unfortunately or not, it is *still* possible to detect
whether the user is invisible using the same old technique
I discovered on 23 september 2004 (The article[1] written in Polish
is still available and the POC[2] uses libgadu[3])
=== Usage ===
Compiled POC allows you to try to detect the invisible user:
# ./gadu <your_uin> <your_password> <victim_uin>
gadu_connect: success.
Gosciu jest online!
gadu_disconnect
This shows that <victim_uin> is online. If seems unavailable
it means they are invisible.
The conditions remain constant:
- the victim must have you listed in their address book
- the victim must have image messages enabled (that is the
minimum size > 0)
The vendor was notified on in september 2004.
=== References ===
[1] http://soltysiak.com/articles/gg_ir.php
[2] http://www.soltysiak.com/gadu.c
[3] http://dev.null.pl/ekg/
-- Regards, Maciej Soltysiak
- Previous message: Marc Ruef: "e107 0.6 forum_post.php create new topics in non-existing forums"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
