Re: ICQ exploit

[Knud Erik Højgaard - CyberCity Support <kain () PERKER DK>]

to me it seems like you would need the users password to authenticate on the
icq server.. if you didn't, i could imagine a lot worse scenarios that
knocking people off.. like hijacking all accounts and changing their
password, since icq doesn't ask for your old password when you want to
change it.. byebye icq .. :)

Med venlig hilsen

Knud Erik Højgaard <knud () cybercity dk>
Cybercity Erhvervssupport <support () erhverv cybercity dk>
http://www.cybercity.dk/support
Tlf 33 98 30 60
|-- Jesus saves, but only Buddha makes incremental backups --|

-----Original Message-----
From: VULN-DEV List [mailto:VULN-DEV () SECURITYFOCUS COM]On Behalf Of Geo.
Sent: 26. marts 2001 21:22
To: VULN-DEV () SECURITYFOCUS COM
Subject: ICQ exploit


While playing around with my laptop and desktop today I noticed something
with ICQ.

If you have ICQ setup on 2 machines using the same ICQ number, as soon as
the second machine starts ICQ up the first machine gets an error about your
ICQ number being used on another machine and immediately takes ICQ off line.

I don't know the mechanism that allows this but has anyone considered an
exploit based upon this mechanism? Seems to me a sequential run could knock
a whole bunch of people off ICQ..

Geo.