[ISN] ICQ Password Problem Squashed

From: mea culpa (jerichoat_private)
Date: Wed Aug 19 1998 - 15:53:29 PDT

  • Next message: mea culpa: "[ISN] Cyber 'Vandals' Target Indonesia"

    Forwarded From: Synthe Omicron <syntheat_private>
    ICQ Password Problem Squashed
    by James Glave
    12:05pm  17.Aug.98.PDT
    An instant messaging service bounced back Friday night from a serious
    security problem that, as of late last week, was allowing many of its 15
    million members to log into the system using someone else's account. Using
    the bug, an imposter could potentially talk his way into gaining sensitive
    America Online (AOL) subsidiary Mirabilis fixed the problem with its ICQ
    system late Friday, following a Wired News request for comment on the
    "We immediately identified the issue and fixed it -- [the security hole]
    resulted from some improvements we have recently introduced in the
    system,"  said Yossi Vardi, director of business development for
    Mirabilis, in an email sent Sunday. 
    The Israeli company bills ICQ as "the world's largest Internet online
    instant communication network." The system's home page boasts that more
    than 60,000 new users sign up for ICQ every day. 
    Members use the system to check if friends are online, and send each other
    "instant" text messages. Though Mirabilis cautions against using ICQ for
    "mission critical" tasks, the system is gaining popularity in corporate
    settings because it is faster than email for exchanging quick information
    such as sales data. 
    Friday's bug was the most recent of several security problems that have
    plagued the ICQ system. It worked by exploiting an administrator account
    called UIN1 that is used to send system-wide messages. 
    A colleague of Zack Allison, a 19-year-old developer, discovered the bug
    while working on Allison's independent effort to code an ICQ client for
    the Linux operating system. 
    Allison discovered it was possible to log into ICQ as anyone else, simply
    by using a password longer than eight characters on a non-Windows client. 
    "I could use [UIN1] to log into anyone's account, and send and receive
    messages, and if there were any offline messages waiting, they would be
    delivered," Allison said. 
    "There is always the possibility of misinformation -- someone could log in
    as your account and send false messages to some other people, or log in
    and send emergency messages. 
    Allison said that if an ICQ member was using the system to transfer files,
    a malicious user could log in as someone known to that person -- and send
    a program that the user assumed was from a trusted source. 
    "But [the message] could contain any number of viruses, or Back Orifice," 
    Allison said, referring to a Trojan horse program affecting Windows 95 and
    98 users. 
    Though Allison praised Mirabilis for dealing with the password issue
    swiftly, other problems linger. These issues -- relating to the ability to
    spoof or hijack another user's account -- remain, largely because the
    system's newest protocol, the actual networking mechanics used by the
    system, is designed to support older, less-secure versions. 
    "It seems like they are improving the protocol," said Seth McGann, the
    author of an ICQ spoofing program. "Now they have [Version 5, the latest
    revision] that is more secure than the older ones.... They are trying to
    improve their security." 
    Many users have reported frustration with having found their ICQ accounts
    and identities stolen out from under them. 
    "Myself and my daughter are victims of someone doing this to us," said
    former ICQ user Natrice Rese in an email to Wired News. "Just today, [I]
    received messages from someone professing to be my daughter, who asked for
    my password to check out something on ICQ, because my daughter is having
    trouble with someone spamming and harassing her." 
    "We have been forced to drop the ICQ chat program because this person has
    taken our accounts, and changed the passwords ... and [is] impersonating
    us," Rese said. 
    But Mirabilis promises that all these problems will soon be a memory. 
    "In the very near future we are releasing a completely new and much
    improved client with lot of completely new services," said Vardi. 
    "In this client, some additional issues are going to be resolved," he
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: New Dimensions International [www.newdimensions.net]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:01:40 PDT