Vulnerability Development mailing list archives
[Fwd: RE: security in MSN messenger service [MSRC 180]]
From: John () BRAHY COM (John Brahy)
Date: Mon, 17 Apr 2000 12:21:15 -0700
Well, secure () microsoft com seems to think that this vulnerability is completely theoretical. I think that Microsoft security is completely theoretical, but everyone is entitled to their opinion. John -------- Original Message -------- Subject: RE: security in MSN messenger service [MSRC 180] Date: Mon, 17 Apr 2000 11:13:32 -0700 From: Microsoft Security Response Center <secure () microsoft com> To: "'John Brahy'" <John () brahy com> Hi John - Thanks for your note. We've investigated the report that you sent, and I wanted to get back in touch to let you know what we found out. You're right that the file could be used to effect a logon to Hotmail. However, it's only written to the machine after you've already provided bona fide logon credentials, and it's deleted within seconds of being written to the machine. In addition, it doesn't contain any plaintext passwords or other authentication information. So, the potential exposure here would be from a case in which an user could (a) get you to log onto Hotmail or MSN Messenger, (b) get you to leave your computer unattended and (c) do this with exactly the right timing in order to copy the file during the very short period that it exists. However, if a malicious user has physical access to your machine, he already has de facto control over it -- he could, for instance, simply install software to display a bogus Hotmail logon screen and collect your password that way. I hope that helps answer the question. If we've missed something, please let me know, as we'd be happy to continue looking into the issue. Regards, Secure () microsoft com -----Original Message----- From: John Brahy [mailto:John () Brahy com] Sent: Saturday, April 15, 2000 3:43 PM To: Microsoft Security Response Center Subject: security in MSN messenger service I have noticed that when I check email from the MSN Messenger. MSN Messenger writes a temp file in C:\windows\temp\sfd4080.htm. The contents of that file are below. What I have found is that if that file is saved, you can use it as a redirect to hotmail without using a password. I wonder what a "while true" loop looking in c:\windows\temp\ would be able to capture? Session seems to time out around 5 minutes. When that happens, the "creds" value changes but not the auth. ------------START-OF-HTML---------------------- <html> <head> <noscript> <meta http-equiv=Refresh content="0; url=http://www.hotmail.com"> </noscript> </head> <body onload="document.pform.submit(); "> <form name="pform" action="http://www.hotmail.msn.com/ppsecure/domessengerlogin" method="POST"> <input type="hidden" name="mode" value="ttl"> <input type="hidden" name="login" value="jbrahy"> <input type="hidden" name="username" value="jbrahy () hotmail com"> <input type="hidden" name="sid" value="507"> <input type="hidden" name="kv" value="2"> <input type="hidden" name="id" value="2"> <input type="hidden" name="sl" value="7313"> <input type="hidden" name="rru" value="/cgi-bin/HoTMaiL"> <input type="hidden" name="auth" value="(58 characters)"> <input type="hidden" name="creds" value="(32 characters)"> <input type="hidden" name="svc" value="mail"> <input type="hidden" name="js" value="yes"> </form> </body> </html> ------------END-OF-HTML----------------------
Current thread:
- [Fwd: RE: security in MSN messenger service [MSRC 180]] John Brahy (Apr 17)
- Re: [Fwd: RE: security in MSN messenger service [MSRC 180]] Mikael Olsson (Apr 19)
- Re: MSN messenger service Masial (Apr 19)
- Re: MSN messenger service Bluefish (Apr 20)
- Re: MSN messenger service John Brahy (May 14)