Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Hotmail/MS Instant Messenger issue...

From: James Nelson <xi () EMPLOYEES ORG>
Date: Mon, 14 Aug 2000 16:43:23 -0700
Synopsis:
If you use a Hotmail account to log in to Instant Messenger, and your Hotmail
account gets cancelled, your contact (or 'buddy') list does not get cleaned. If
another person creates a Hotmail account using that name, they will have access
to your contact list, and will show up on any contact list you're a part of.

Scenario:
User A creates Hotmail account superman () hotmail com, and uses it to log into
Instant Messenger. User A adds a bunch of contacts, for instance
loislane () hotmail com, or jimmyolsen () passport com. If User A does not login to
the superman mailbox for some months (could not find the exact period of time on
Hotmail's web site), it will be automatically cancelled. However, the contacts
list lives on.

Let's suppose that right about that time User B decides superman () hotmail com
would be a cool address, and creates it. If User B installs Instant Messenger,
the contacts list will already be populated with User A's friends. Not only
that, but User B will now appear on any person who had added User A to their
contact list.

Granted that User B will probably choose a different display name, but since
those can be arbitrarily changed, User A's friend's may not think anything is
amiss.

Personal Experience:
This very thing has happened twice to me---the first time, I was using IM
constantly, Hotmail cancelled my account because (apparently) an Instant
Messenger login doesn't reset the Hotmail inactivity counter. I asked to have my
password reset, and I was told my account never existed. So, thinking it was a
glitch, I recreated my account (same name). Imagine my surprise when my contacts
were already there!

The second time I simply did not use another account, for Hotmail or IM. One day
someone unknown appeared in my contacts list. Turned out that someone had
registered that (by then cancelled) account, and had inherited my contacts list.

Vendor Notification:
Microsoft has been notified through their IM feedback page. No response, yet,
other than the automated one.

Credits:
Dmitri Alperovitch did a quick audit of Instant Messenger when it came out, and
pointed out that impersonation might be an issue.

Thanks,

James Nelson...
Previous By Date Next
Previous By Thread Next

Current thread: