Security Issues in Rediff Bol Messenger

[S G Masood <sgmasood () yahoo com>]

Security Issues in Rediff Bol Messenger 



The widely used Indian Instant Messaging service
"Rediff Bol(Ver. 2.0.2)" by www.rediff.com has a few
security problems. The major one is that a malicious
user can logout a user by "feeding" a specially ;))
constructed URL to him.  


1.Malicious logging out of a user: Rediff Bol
registers a URL protocol "Rbol:" with its main
executable bol.exe as the handler. Therefore, when a
URL starting with "rbol:" (without the quotes) is
accessed, bol.exe is launched and the parameters are
passed to it for further action.

In this case, when the URL "rbol:login" is accessed
(through a browser, for instance), the application
misbehaves and logs out the user. Further, he will not
be able to login again unless bol.exe is completely is
terminated and restarted. I say "completely
terminated" because sometimes, after exploitation,
just pressing "exit" will not stop bol.exe completely
until it is killed from the taskmanager.

This is further exacerbated because the email service
provided by www.rediff.com does not have *any* kind of
malicious scripting check and therefore is prone to
all kinds of XSS attacks. Consequently, if 'A' wants
to chuck 'B' out of a 'Rediff Bol' session, he can
send an HTML mail to B's Rediffmail account which,
when opened, will redirect him to the "rbol:login"
URL. This will logout 'B' out of 'Bol'. 

And, of course, the HTML mail will contain something
like:
<script>
window.location="rbol:login"
</script>

Solution: Deleting/disabling the "Rbol:" protocol from
the 'HKCR\rbol' registry key will solve the problem
until the vendor provides a more graceful solution ;).
According to my investigation, the "Rbol:" protocol is
presently not used by Bol to provide any core service
and therefore it can probably be safely disabled.


2. Unencrypted Transfer of Account/Authentication
Information: When a user logs in to Rediff Bol, the
account information (user name, password, etc) that is
transferred to the server from the client is not
encrypted in any way. Consequently, anyone sniffing
along the route can gain access to this information.

Solution: The user cannot do much to protect himself
from this kind of sniffing. This has to be resolved by
the vendor.

Regards
S.G.Masood


__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com