Forwarded From: Synthe Omicron <syntheat_private> ICQ Password Problem Squashed by James Glave 12:05pm 17.Aug.98.PDT An instant messaging service bounced back Friday night from a serious security problem that, as of late last week, was allowing many of its 15 million members to log into the system using someone else's account. Using the bug, an imposter could potentially talk his way into gaining sensitive information. America Online (AOL) subsidiary Mirabilis fixed the problem with its ICQ system late Friday, following a Wired News request for comment on the issue. "We immediately identified the issue and fixed it -- [the security hole] resulted from some improvements we have recently introduced in the system," said Yossi Vardi, director of business development for Mirabilis, in an email sent Sunday. The Israeli company bills ICQ as "the world's largest Internet online instant communication network." The system's home page boasts that more than 60,000 new users sign up for ICQ every day. Members use the system to check if friends are online, and send each other "instant" text messages. Though Mirabilis cautions against using ICQ for "mission critical" tasks, the system is gaining popularity in corporate settings because it is faster than email for exchanging quick information such as sales data. Friday's bug was the most recent of several security problems that have plagued the ICQ system. It worked by exploiting an administrator account called UIN1 that is used to send system-wide messages. A colleague of Zack Allison, a 19-year-old developer, discovered the bug while working on Allison's independent effort to code an ICQ client for the Linux operating system. Allison discovered it was possible to log into ICQ as anyone else, simply by using a password longer than eight characters on a non-Windows client. "I could use [UIN1] to log into anyone's account, and send and receive messages, and if there were any offline messages waiting, they would be delivered," Allison said. "There is always the possibility of misinformation -- someone could log in as your account and send false messages to some other people, or log in and send emergency messages. Allison said that if an ICQ member was using the system to transfer files, a malicious user could log in as someone known to that person -- and send a program that the user assumed was from a trusted source. "But [the message] could contain any number of viruses, or Back Orifice," Allison said, referring to a Trojan horse program affecting Windows 95 and 98 users. Though Allison praised Mirabilis for dealing with the password issue swiftly, other problems linger. These issues -- relating to the ability to spoof or hijack another user's account -- remain, largely because the system's newest protocol, the actual networking mechanics used by the system, is designed to support older, less-secure versions. "It seems like they are improving the protocol," said Seth McGann, the author of an ICQ spoofing program. "Now they have [Version 5, the latest revision] that is more secure than the older ones.... They are trying to improve their security." Many users have reported frustration with having found their ICQ accounts and identities stolen out from under them. "Myself and my daughter are victims of someone doing this to us," said former ICQ user Natrice Rese in an email to Wired News. "Just today, [I] received messages from someone professing to be my daughter, who asked for my password to check out something on ICQ, because my daughter is having trouble with someone spamming and harassing her." "We have been forced to drop the ICQ chat program because this person has taken our accounts, and changed the passwords ... and [is] impersonating us," Rese said. But Mirabilis promises that all these problems will soon be a memory. "In the very near future we are releasing a completely new and much improved client with lot of completely new services," said Vardi. "In this client, some additional issues are going to be resolved," he said. -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: New Dimensions International [www.newdimensions.net]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:01:40 PDT