Bugtraq mailing list archives
Hotmail/MS Instant Messenger issue...
From: James Nelson <xi () EMPLOYEES ORG>
Date: Mon, 14 Aug 2000 16:43:23 -0700
Synopsis: If you use a Hotmail account to log in to Instant Messenger, and your Hotmail account gets cancelled, your contact (or 'buddy') list does not get cleaned. If another person creates a Hotmail account using that name, they will have access to your contact list, and will show up on any contact list you're a part of. Scenario: User A creates Hotmail account superman () hotmail com, and uses it to log into Instant Messenger. User A adds a bunch of contacts, for instance loislane () hotmail com, or jimmyolsen () passport com. If User A does not login to the superman mailbox for some months (could not find the exact period of time on Hotmail's web site), it will be automatically cancelled. However, the contacts list lives on. Let's suppose that right about that time User B decides superman () hotmail com would be a cool address, and creates it. If User B installs Instant Messenger, the contacts list will already be populated with User A's friends. Not only that, but User B will now appear on any person who had added User A to their contact list. Granted that User B will probably choose a different display name, but since those can be arbitrarily changed, User A's friend's may not think anything is amiss. Personal Experience: This very thing has happened twice to me---the first time, I was using IM constantly, Hotmail cancelled my account because (apparently) an Instant Messenger login doesn't reset the Hotmail inactivity counter. I asked to have my password reset, and I was told my account never existed. So, thinking it was a glitch, I recreated my account (same name). Imagine my surprise when my contacts were already there! The second time I simply did not use another account, for Hotmail or IM. One day someone unknown appeared in my contacts list. Turned out that someone had registered that (by then cancelled) account, and had inherited my contacts list. Vendor Notification: Microsoft has been notified through their IM feedback page. No response, yet, other than the automated one. Credits: Dmitri Alperovitch did a quick audit of Instant Messenger when it came out, and pointed out that impersonation might be an issue. Thanks, James Nelson...
Current thread:
- Hotmail/MS Instant Messenger issue... James Nelson (Aug 15)
- <Possible follow-ups>
- Re: Hotmail/MS Instant Messenger issue... Microsoft Security Response Center (Aug 16)