Major privacy hole in Windows/MSN Messenger
Posted by cheekymonkey on 05 February 2002 - 19:37 · no comments & 39 views
About the Author
Full name: Unknown
Forum name: cheekymonkey
Contact: via forum PM
Submissions: Normal · Headline
Full name: Unknown
Forum name: cheekymonkey
Contact: via forum PM
Submissions: Normal · Headline
Slashdot It!
Submit to reddit
Submit to blinklist
Bookmark on del.icio.us
Add to furl
Share on Facebook
Add to Windows Live
Add to Google
I thought I'd post this here to alert all you Neowinians out there:
A nifty feature in MSN and Windows Messenger which apparently was intended to identify IE users (without their knowledge or consent) on Microsoft Web sites can easily be abused by any Webmaster with a bit of Javascript or VBscript, a clever empiricist has discovered.
The feature allows anyone to obtain a surfer's Messenger username and those of his contacts, according to Richard Burton in a post Monday to the BugTraq mailing list.
Worse, if a username is not available, the e-mail address of the surfer and those of his contacts are displayed instead.
Only Microsoft.com, Hotmail.com and Hotmail.msn.com should be able to access the e-mail address of the surfer and his contacts -- which of course is bad enough. However, a piece of software could easily make a registry entry during installation which would allow an associated Web site to obtain full details from Messenger.
Using the registry key
HKEY_LOCAL_MACHINESOFTWAREMicrosoftMessengerServicePoliciesSuffixes
a semi-malicious program could easily enable Web access by adding domain suffixes. According to Burton, the suffix can be as little as .org or .com, which would enable any Web site with that suffix to access your details.
By default, there are no suffixes listed in the registry, Burton says, but the Microsoft domains are hard-coded into Messenger, presumably to enhance the company's renowned devotion to customer service, or to accommodate the advertising industry in some backchannel manner.
EDIT: I do realise that the vast majority of Neowin's users are experts / power users so this may not exactly be front page news. However, for others I thought I'd post this story may be a little helpful in understanding what their 'puter is doing. Laters, Cheeky.
Super-Net has overcome these problems by implementing Nortel's Quality of Service on Ethernet switching.
QoS allocates priorities to some streams of data so critical applications get higher priority during periods of network congestion. To test the difference in performance, CeNTIE loaded Super-Net lightly at 9Gbps -- roughly the same as Sydney's phone system traffic at peak-hour.
Then, without using QoS, it put the last 1Gbps in, so the network was totally congested.
"First the video freezes, the haptics disappear, then the remote end starts wobbling and jerking and you're wondering what the hell's happening," Dr Economou said.
"Then we increase the QoS for the video stream and after about 10 seconds the video resyncs and bang, you've got video. But the haptics link is still broken so we increase the priority on the haptics traffic and bang, it's working again.
"The critical applications have a high priority so they're getting through no matter what."
The 10Gbps Ethernet will become very important in the next few years.
It's competing head-on with Sonet, the current standard in metropolitan area networks, Dr Economou said.