Re: ICQ Spoofing Question (or second dumb question of the day)

[Masial <masial () SECURED ORG>]

> -----Original Message-----
> From: Robert van der Meulen
> Sent: Wednesday, September 20, 2000 4:58 AM

> It is possible to send a change-password request after the client has
> connected to the server. It is imperative, though, that the client has not
> been 'active' after the connect (i.e. no send-trough-server messages
> recieved or sent), because of a serial-number guessing problem.
> Very probably it is possible to send a free-for-chat request/packet in the
> same manner.

Are you certain that this information is still valid? I certainly remember
about this but it was awhile back with an older version of ICQ. I belive
they fixed this server-side after much account stealing occured, thats too
bad because i could have had my old UIN back (sub mil). I belive
change-password now requires you to be authenticated with the icq server
first. Or maybe im not understanding your point?

> (Ofcourse everybody knows by now that ICQ is a braindead protocol that was
> meant to be broken from day #1)

I like the 'meant to' part, heh, but that would imply they were not
incredibly clueless about internet. I remember a public statement they once
stated someone had hacked icq accounts via a trojan JPEG image, uhh, yeah,
ok (r33t).


M.