SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Instant Messaging/IRC/Chat)  >   Microsoft MSN Messenger Vendors:   Microsoft
Windows Messenger (aka MSN Messenger) Instant Messaging Client Discloses Display Name and Contacts to Remote Users
SecurityTracker Alert ID:  1003436
SecurityTracker URL:  http://securitytracker.com/id/1003436
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 5 2002
Impact:   Disclosure of user information
Exploit Included:  Yes  
Version(s): MSN Messenger 4.6.0073 (latest at 02/02/2002) on Windows 2000 with IE 6; Windows Messenger 4.6.0073 (latest at 02/02/2002) on Windows XP with IE 6; other versions may be affected
Description:   An information disclosure vulnerability was reported in Microsoft's Messenger instant messaging client. A remote user can create a web page or HTML-based e-mail message that will cause the recipient's Messenger display name and contacts to be disclosed.

It is reported that a remote user can create javascript that will cause MSN Messenger or Windows Messenger to disclose personal information. The user's display name and display names of the user's contacts may be disclosed. If the user has not set a display name, the user's e-mail address may be disclosed.

It is reported that certain Microsoft web sites can also obtain the user's name and e-mail address. In addition, sites (or domain suffixes) listed in the registry can also obtain the user's name and e-mail addresses, according to the report. The list of domain suffixes that have full access to Messenger functionality is reportedly located in the registry in key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MessengerService\Policies\Suffixes" with values "Suffix0", "Suffix1", etc.

It is reported that the only way for a user to prevent sites from obtaining access to the user's personal information is by logging out of Messenger before visiting the web site.

A demonstration exploit page is available at:

http://raburton.members.easyspace.com/msn/

Impact:   A remote user can obtain another user's display name and contacts via malicious javascript that must be loaded by the target user, either via a web page or via HTML-based e-mail.
Solution:   No solution was available at the time of this entry.

The author of the report has provided the following recommendations:

- Set a display name so your email address isn't obtainable so easily.
- Check for entries in "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MessengerService\Policies\Suffixes" regularly, especially after installing freeware or shareware.
- If you want to visit microsoft.com and remain anonymous, close MSN Messenger.

Vendor URL:  messenger.msn.com/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  MSN Messenger reveals your name to websites (and can reveal email




Introduction
============

MSN Messenger (and Windows Messenger on XP) 
can be used to obtain personal information about a 
user from any website (in any domain).

Using JavaScript a user's display name can be 
obtained from Messenger, as well as the display 
names of all their contacts. For users who have a 
sensible and accurate display name this should be 
considered a privacy issue. (Note: anyone who has 
not set a display name at all, will reveal their email 
address instead.)

Using the same technique web sites hosted on 
certain domains (microsoft.com, hotmail.com & 
hotmail.msn.com) can also access the email 
address of the user (along with the email addresses 
of all their contacts). This could be used by Microsoft 
to track users on their sites, which many would 
consider to be a privacy issue.

In addition to the three domains mentioned above, 
additional domains can be allowed access to the 
email addresses with a single registry entry. This 
registry entry could be made by spyware/adware 
installed by a user (sometimes unknowingly along 
with a piece of shareware). Once there you have the 
potential to give your email address to any site that 
requests it and places it in a cookie.


Affects
=======

 - MSN Messenger 4.6.0073 (latest at 02/02/2002) on 
Windows 2000 with IE 6.
 - Windows Messenger 4.6.0073 (latest at 
02/02/2002) on Windows XP with IE 6.
 - Probably other versions and other platforms too.


Technical
=========

Microsoft designed Messenger to allow functionality 
to be used in webpages using JavaScript or 
VBScript. This includes the ability to view the display 
name and email address of the user and their 
contacts. In an attempt to protect users only a certain 
selection of sites can use script to get email 
addresses, but all can get display names.

The list of domain suffixes that have full access to 
Messenger functionality (email addresses & more?) 
can be found in the registry in 
key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
\MessengerService\Policies\Suffixes". 
Values "Suffix0", "Suffix1", etc. By default there are no 
entries in the list, but they can be added. E.g. adding 
value Suffix0 = "test.com" will give web sites in the 
test.com domain full access to Messenger 
information.

Full domains do not have to be specified in the list, 
adding "com" would allow all .com sites to have full 
access.

Although by default there are no entries in this list, 
three domains (listed above) are hard coded into 
Messenger for the same purpose. These allow 
Microsoft to make their sites (e.g. Hotmail) look nice 
by integrating messenger features into them. The 
user cannot remove the special status applied to 
these sites.

The only way for a user to prevent sites having any 
access to their information is by logging out of 
Messenger before visiting.

For a simple how-to, just look at the source of the 
demonstration page given below.


Demo Page
=========

I have set up a simple demonstration of the problem 
here:

   http://raburton.members.easyspace.com/msn/

This will show your name and the names of all your 
contacts. If you add the registry entry given it will also 
show your email address and the addresses of all 
your contacts.


Recommendations For Users
=========================

- Set a display name so your email address isn't 
obtainable so easily.
- Check for entries 
in "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
MessengerService\Policies\Suffixes" regularly, 
especially after installing freeware or shareware.
- If you want to visit microsoft.com and remain 
anonymous, close MSN Messenger.


Recommendations For Microsoft
=============================

- Remove the hard coded list of domains, so users 
can choose to allow this functionality on MS sites.
- Prevent applications adding to the Suffixes list.
- Give the user the option to disable the scripting 
support.


Author
======

Richard Antony Burton - richardaburton@hotmail.com
Please feel free to contact me about this post, I will 
do my best to answer any questions you may have.

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC