[MUD-Dev] Re: OT: ICQ hacks and exploits
Mike Sellers
mike at bignetwork.com
Fri Jun 5 10:09:01 CEST 1998
Interesting. One wonders whether the much-rumored $300M sale of ICQ to AOL
will change this situation (not to mention exemplifying the business model
of the '90s :-) ). =20
At 09:23 AM 6/5/98 -0700, J C Lawrence wrote:
>
>Due to the number of ICQ users we have here:
>
>Date: 4 Jun 1998 21:49:09 -0000
>From: announce-outgoing at rootshell.com
>Cc: recipient list not shown: ;
>Subject: [rootshell] Security Bulletin #19
>
>...deletia...
>An archive of this list is available at :
>http://www.rootshell.com/mailinglist-archive
>...deletia...
>
>01. ICQ Hijaak
>- --------------
>
>As of 6/3/98 Mirabilis has disabled the ability to change your password at
>all. The purpose of this bulletin is to alert all ICQ users of the dangers
>in the ICQ protocol. Rootshell now has 4 unique exploits for the ICQ
>protocol online at www.rootshell.com.
>
>- --
>
>Date: Sun, 31 May 1998 16:46:20 -0700
>From: wumpus at INNOCENT.COM
>Subject: ICQ Hijaaking.. Is YOUR account safe?
>
>The source code here pretty much says it all. Mirabilis has been extremely
>negligent in fixing protocol holes, and this allows accounts to be=
subverted
>with possible leaks of information.
>
>Merely by leaving your ICQ application logged in ( Java _or_ Win32 ) your
>account can be hijaaked (the password changed withoyt knowing the=
original).
>An attacker can then use that account to obtain information from people
>contacting you, or to do other inappropriate things which would result in
>the account being terminated.
>
>I have given Mirabilis fair warning of this attack, and talked with Arik
>about what was necessary to fix it. Unfortunately, with the last four
versions
>this has not been put into place. It would seem the only way to fix such
>grave problems with their protocol is to air it in the public arena.
>
>There are no real workarounds for this problem, although there are some
>obvious workarounds to this exploit (left to the reader). If you value=
your
>ICQ account, do not log into it until a fix is available. Otherwise, you
>can hope no one bothers to hit your UIN --- there are a huge number and you
>might be lucky.
>
>...full source code of exploit deletia...
>
>--=20
>J C Lawrence Internet: claw at null.net
>(Contractor) Internet: coder at ibm.net
>---------(*) Internet: claw at under.engr.sgi.com
>...Honourary Member of Clan McFud -- Teamer's Avenging Monolith...
>
>--=20
>MUD-Dev: Advancing an unrealised future.
>=20
--
Mike Sellers=A0=A0=A0=A0=A0=A0 Chief Creative Officer=A0=A0=A0=A0=A0=A0 The=
Big Network
mike at bignetwork.com=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0
<http://www.bignetwork.com/>http://www.bignetwork.com
=A0=A0=A0=A0=A0=A0=A0=A0=A0 Fun=A0=A0 Is=A0=A0 Good =20
More information about the mud-dev-archive
mailing list