Bugtraq mailing list archives
RE: Hexyn / Securax Advisory #22 - ICQ Forced Auto-Add Users
From: Chris <wickedc () suscom-maine net>
Date: Sat, 25 Aug 2001 00:13:19 -0400
I suspect this bug is also exploitable from HTML email by including the magic ICQ URL in an <IFRAME> tag embedded in the message. Richard
This could also be exploited through html using the refresh meta tag...When viewing the originating email of this thread in the eudora 5.0 preview window, (while "Microsoft's viewer" [which is really just IE] was enabled in the options) the META tag was read and executed and the preview window was refreshed to show "[ICQ User] UIN= Email= NickName= FirstName= LastName="
I suspect this information was displayed rather then executed due to the fact that i don't have ICQ installed on this machine, and therefore no mime type exists for such content on this machine. I was unable to test this with ICQ installed since windows' and AOL's programming (mirabillis is owned by AOL, don't you know?) makes ICQ crash every time its started.
However, this shows that its possible for a refresh meta tag to effect a PREVIEW window and execute the add user content. Can We Say, "Email Tracking"?
This could be (scarily) used by spammers to track valid email addresses. With a simple program to interface with ICQ or an ICQ dummy client (that only listens for "User has added you" messages), the spammer would be able to verify the email address through the email address listed in the ICQ user's profile, the spammer now also has the user's ICQ number, giving them yet another medium to spam over.
Just more scary they're-all-out-to-get-you things to think about =) - Chris
-----Original Message----- From: AreS [mailto:ares () security-downloads com] Sent: Wednesday, August 22, 2001 6:14 PM To: BUGTRAQ () SECURITYFOCUS COM Subject: Hexyn / Securax Advisory #22 - ICQ Forced Auto-Add Users Hexyn / Securax Advisory #22 - ICQ Forced Auto-Add Users Topic: ICQ Forced Auto-Add Users Announced: 2001-08-17 Affects: ICQ 200x* up to 2001a Alpha DISCLAIMER: *********** THE ENTIRE ADVISORY HAS BEEN BASED UPON TRIAL AND ERROR RESULTS. THEREFORE WE CANNOT ENSURE YOU THE INFORMATION BELOW IS 100% CORRECT. THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT PRIOR NOTICE. I. Problem Description ********************** ICQ is a popular and free chat program, with over 108,022,319 users all over the world. When ICQ is installed, it adds a Content-Type to Microsoft Internet Exploder, the "application/x-icq" type. When IE receives "Content-Type: application/x-icq" from a web server and following content:
Current thread:
- Hexyn / Securax Advisory #22 - ICQ Forced Auto-Add Users AreS (Aug 22)
- Re: Hexyn / Securax Advisory #22 - ICQ Forced Auto-Add Users Gustavo Molina (Aug 24)
- RE: Hexyn / Securax Advisory #22 - ICQ Forced Auto-Add Users Richard M. Smith (Aug 24)
- RE: Hexyn / Securax Advisory #22 - ICQ Forced Auto-Add Users Chris (Aug 25)