[MUD-Dev] OT: ICQ hacks and exploits

J C Lawrence claw at under.engr.sgi.com
Fri Jun 5 09:23:40 New Zealand Standard Time 1998


Due to the number of ICQ users we have here:

Date: 4 Jun 1998 21:49:09 -0000
From: announce-outgoing at rootshell.com
Cc: recipient list not shown:  ;
Subject: [rootshell] Security Bulletin #19

...deletia...
An archive of this list is available at :
http://www.rootshell.com/mailinglist-archive
...deletia...

01. ICQ Hijaak
- --------------

As of 6/3/98 Mirabilis has disabled the ability to change your password at
all.  The purpose of this bulletin is to alert all ICQ users of the dangers
in the ICQ protocol.  Rootshell now has 4 unique exploits for the ICQ
protocol online at www.rootshell.com.

- --

Date:         Sun, 31 May 1998 16:46:20 -0700
From:         wumpus at INNOCENT.COM
Subject:      ICQ Hijaaking.. Is YOUR account safe?

The source code here pretty much says it all.  Mirabilis has been extremely
negligent in fixing protocol holes, and this allows accounts to be subverted
with possible leaks of information.

Merely by leaving your ICQ application logged in ( Java _or_ Win32 ) your
account can be hijaaked (the password changed withoyt knowing the original).
An attacker can then use that account to obtain information from people
contacting you, or to do other inappropriate things which would result in
the account being terminated.

I have given Mirabilis fair warning of this attack, and talked with Arik
about what was necessary to fix it.  Unfortunately, with the last four versions
this has not been put into place.  It would seem the only way to fix such
grave problems with their protocol is to air it in the public arena.

There are no real workarounds for this problem, although there are some
obvious workarounds to this exploit (left to the reader).  If you value your
ICQ account, do not log into it until a fix is available.  Otherwise, you
can hope no one bothers to hit your UIN --- there are a huge number and you
might be lucky.

...full source code of exploit deletia...

--
J C Lawrence                               Internet: claw at null.net
(Contractor)                               Internet: coder at ibm.net
---------(*)                     Internet: claw at under.engr.sgi.com
...Honourary Member of Clan McFud -- Teamer's Avenging Monolith...




More information about the MUD-Dev mailing list