RE: MSN Messenger reveals your name to websites (and can reveal email addresses too)
From: Bryan Allerdice (bryan_allerdice@yahoo.com)Date: 02/06/02
- Previous message: Sean Davis: "Re: chaging your @home IP address... could you take a bunch of them....probably... could you get something from it...maybe"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Bryan Allerdice" <bryan_allerdice@yahoo.com> To: <vuln-dev@securityfocus.com> Date: Tue, 5 Feb 2002 22:19:39 -0400
An email was posted to a security mailing list today or yesterday by
Johannes Westerink concerning Cross Site Scripting on Microsoft domains...
<snip>
Examples how it can be exploited:
Cross Site Scripting:
<snip>
Since Microsoft domains are trusted, and get email address details using
I'm busy working at the moment, but I am interested if it can be done. How
I'm sure spammers will love this exploit... unfortunately. Thanks Microsoft.
Poor XP users.
BRYAN
-----Original Message-----
Introduction
MSN Messenger (and Windows Messenger on XP)
Using JavaScript a user's display name can be
Using the same technique web sites hosted on
In addition to the three domains mentioned above,
Affects
- MSN Messenger 4.6.0073 (latest at 02/02/2002) on
Technical
Microsoft designed Messenger to allow functionality
The list of domain suffixes that have full access to
Full domains do not have to be specified in the list,
Although by default there are no entries in this list,
The only way for a user to prevent sites having any
For a simple how-to, just look at the source of the
Demo Page
I have set up a simple demonstration of the problem
http://raburton.members.easyspace.com/msn/
This will show your name and the names of all your
Recommendations For Users
- Set a display name so your email address isn't
Recommendations For Microsoft
- Remove the hard coded list of domains, so users
Author
Richard Antony Burton - richardaburton@hotmail.com
_________________________________________________________
~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://ulogin.bcentral.com/~/
pxerrorpath=null
http://www.msn.com/~/
ath=null
http://my.msn.com/~/
th=null
http://dotnet.microsoft.com/
http://terraserver.microsoft.net/
x
http://support.microsoft.com/~/
aspxerrorpath=null
http://office.microsoft.com/~/
spxerrorpath=null
http://communities.microsoft.com/~/
spx
http://uddi.microsoft.com/~/
Richard's code, couldn't a CSS version be made which grabs full user
details, and relays them to an untrusted third party?
about someone out there with more time on their hands than me, give the CSS
idea a go and report back to the list.
From: Richard Burton [mailto:richardaburton@hotmail.com]
Sent: Saturday, February 02, 2002 4:39 PM
To: bugtraq@securityfocus.com
Subject: MSN Messenger reveals your name to websites (and can reveal
email addresses too)
============
can be used to obtain personal information about a
user from any website (in any domain).
obtained from Messenger, as well as the display
names of all their contacts. For users who have a
sensible and accurate display name this should be
considered a privacy issue. (Note: anyone who has
not set a display name at all, will reveal their email
address instead.)
certain domains (microsoft.com, hotmail.com &
hotmail.msn.com) can also access the email
address of the user (along with the email addresses
of all their contacts). This could be used by Microsoft
to track users on their sites, which many would
consider to be a privacy issue.
additional domains can be allowed access to the
email addresses with a single registry entry. This
registry entry could be made by spyware/adware
installed by a user (sometimes unknowingly along
with a piece of shareware). Once there you have the
potential to give your email address to any site that
requests it and places it in a cookie.
=======
Windows 2000 with IE 6.
- Windows Messenger 4.6.0073 (latest at
02/02/2002) on Windows XP with IE 6.
- Probably other versions and other platforms too.
=========
to be used in webpages using JavaScript or
VBScript. This includes the ability to view the display
name and email address of the user and their
contacts. In an attempt to protect users only a certain
selection of sites can use script to get email
addresses, but all can get display names.
Messenger functionality (email addresses & more?)
can be found in the registry in
key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
\MessengerService\Policies\Suffixes".
Values "Suffix0", "Suffix1", etc. By default there are no
entries in the list, but they can be added. E.g. adding
value Suffix0 = "test.com" will give web sites in the
test.com domain full access to Messenger
information.
adding "com" would allow all .com sites to have full
access.
three domains (listed above) are hard coded into
Messenger for the same purpose. These allow
Microsoft to make their sites (e.g. Hotmail) look nice
by integrating messenger features into them. The
user cannot remove the special status applied to
these sites.
access to their information is by logging out of
Messenger before visiting.
demonstration page given below.
=========
here:
contacts. If you add the registry entry given it will also
show your email address and the addresses of all
your contacts.
=========================
obtainable so easily.
- Check for entries
in "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
MessengerService\Policies\Suffixes" regularly,
especially after installing freeware or shareware.
- If you want to visit microsoft.com and remain
anonymous, close MSN Messenger.
=============================
can choose to allow this functionality on MS sites.
- Prevent applications adding to the Suffixes list.
- Give the user the option to disable the scripting
support.
======
Please feel free to contact me about this post, I will
do my best to answer any questions you may have.
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
Relevant Pages
... ensure the Windows Live Messenger does not have proxy settings and ... Please follow the link and download and run the Microsoft Internet ... Clear the current existing W3C logs. ... This newsgroup only focuses on SBS technical issues. ...
(microsoft.public.windows.server.sbs)
... if we can make Windows Live Messenger 8.0 to work: ... Find SBS Internet Access Rule in middle pane, right-click it, select ... Microsoft CSS Online Newsgroup Support ...
(microsoft.public.windows.server.sbs)
... MSN Messenger OCX Buffer Overflow ... Microsoft MSN Messenger 4.5 and 4.6, which includes the MSN Chat control ...
(NT-Bugtraq)
... MSN Messenger OCX Buffer Overflow ... Microsoft MSN Messenger 4.5 and 4.6, which includes the MSN Chat control ...
(Bugtraq)
... that until you install Messenger Live it would all work. ... Microsoft CSS Online Newsgroup Support ...
(microsoft.public.windows.server.sbs)
