[MUD-Dev] Re: OT: ICQ hacks and exploits
mike at bignetwork.com
Fri Jun 5 10:09:01 New Zealand Standard Time 1998
Interesting. One wonders whether the much-rumored $300M sale of ICQ to AOL
will change this situation (not to mention exemplifying the business model
of the '90s :-) ). =20
At 09:23 AM 6/5/98 -0700, J C Lawrence wrote:
>Due to the number of ICQ users we have here:
>Date: 4 Jun 1998 21:49:09 -0000
>From: announce-outgoing at rootshell.com
>Cc: recipient list not shown: ;
>Subject: [rootshell] Security Bulletin #19
>An archive of this list is available at :
>01. ICQ Hijaak
>As of 6/3/98 Mirabilis has disabled the ability to change your password at
>all. The purpose of this bulletin is to alert all ICQ users of the dangers
>in the ICQ protocol. Rootshell now has 4 unique exploits for the ICQ
>protocol online at www.rootshell.com.
>Date: Sun, 31 May 1998 16:46:20 -0700
>From: wumpus at INNOCENT.COM
>Subject: ICQ Hijaaking.. Is YOUR account safe?
>The source code here pretty much says it all. Mirabilis has been extremely
>negligent in fixing protocol holes, and this allows accounts to be=
>with possible leaks of information.
>Merely by leaving your ICQ application logged in ( Java _or_ Win32 ) your
>account can be hijaaked (the password changed withoyt knowing the=
>An attacker can then use that account to obtain information from people
>contacting you, or to do other inappropriate things which would result in
>the account being terminated.
>I have given Mirabilis fair warning of this attack, and talked with Arik
>about what was necessary to fix it. Unfortunately, with the last four
>this has not been put into place. It would seem the only way to fix such
>grave problems with their protocol is to air it in the public arena.
>There are no real workarounds for this problem, although there are some
>obvious workarounds to this exploit (left to the reader). If you value=
>ICQ account, do not log into it until a fix is available. Otherwise, you
>can hope no one bothers to hit your UIN --- there are a huge number and you
>might be lucky.
>...full source code of exploit deletia...
>J C Lawrence Internet: claw at null.net
>(Contractor) Internet: coder at ibm.net
>---------(*) Internet: claw at under.engr.sgi.com
>...Honourary Member of Clan McFud -- Teamer's Avenging Monolith...
>MUD-Dev: Advancing an unrealised future.
Mike Sellers=A0=A0=A0=A0=A0=A0 Chief Creative Officer=A0=A0=A0=A0=A0=A0 The=
mike at bignetwork.com=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0
=A0=A0=A0=A0=A0=A0=A0=A0=A0 Fun=A0=A0 Is=A0=A0 Good =20
More information about the MUD-Dev