Forwarded From: Synthe Omicron <synthe@ronin.net>
ICQ Password Problem Squashed
by James Glave
12:05pm 17.Aug.98.PDT
An instant messaging service bounced back Friday night from a serious
security problem that, as of late last week, was allowing many of its 15
million members to log into the system using someone else's account. Using
the bug, an imposter could potentially talk his way into gaining sensitive
information.
America Online (AOL) subsidiary Mirabilis fixed the problem with its ICQ
system late Friday, following a Wired News request for comment on the
issue.
"We immediately identified the issue and fixed it -- [the security hole]
resulted from some improvements we have recently introduced in the
system," said Yossi Vardi, director of business development for
Mirabilis, in an email sent Sunday.
The Israeli company bills ICQ as "the world's largest Internet online
instant communication network." The system's home page boasts that more
than 60,000 new users sign up for ICQ every day.
Members use the system to check if friends are online, and send each other
"instant" text messages. Though Mirabilis cautions against using ICQ for
"mission critical" tasks, the system is gaining popularity in corporate
settings because it is faster than email for exchanging quick information
such as sales data.
Friday's bug was the most recent of several security problems that have
plagued the ICQ system. It worked by exploiting an administrator account
called UIN1 that is used to send system-wide messages.
A colleague of Zack Allison, a 19-year-old developer, discovered the bug
while working on Allison's independent effort to code an ICQ client for
the Linux operating system.
Allison discovered it was possible to log into ICQ as anyone else, simply
by using a password longer than eight characters on a non-Windows client.
"I could use [UIN1] to log into anyone's account, and send and receive
messages, and if there were any offline messages waiting, they would be
delivered," Allison said.
"There is always the possibility of misinformation -- someone could log in
as your account and send false messages to some other people, or log in
and send emergency messages.
Allison said that if an ICQ member was using the system to transfer files,
a malicious user could log in as someone known to that person -- and send
a program that the user assumed was from a trusted source.
"But [the message] could contain any number of viruses, or Back Orifice,"
Allison said, referring to a Trojan horse program affecting Windows 95 and
98 users.
Though Allison praised Mirabilis for dealing with the password issue
swiftly, other problems linger. These issues -- relating to the ability to
spoof or hijack another user's account -- remain, largely because the
system's newest protocol, the actual networking mechanics used by the
system, is designed to support older, less-secure versions.
"It seems like they are improving the protocol," said Seth McGann, the
author of an ICQ spoofing program. "Now they have [Version 5, the latest
revision] that is more secure than the older ones.... They are trying to
improve their security."
Many users have reported frustration with having found their ICQ accounts
and identities stolen out from under them.
"Myself and my daughter are victims of someone doing this to us," said
former ICQ user Natrice Rese in an email to Wired News. "Just today, [I]
received messages from someone professing to be my daughter, who asked for
my password to check out something on ICQ, because my daughter is having
trouble with someone spamming and harassing her."
"We have been forced to drop the ICQ chat program because this person has
taken our accounts, and changed the passwords ... and [is] impersonating
us," Rese said.
But Mirabilis promises that all these problems will soon be a memory.
"In the very near future we are releasing a completely new and much
improved client with lot of completely new services," said Vardi.
"In this client, some additional issues are going to be resolved," he
said.
-o-
Subscribe: mail majordomo@sekurity.org with "subscribe isn".
Today's ISN Sponsor: New Dimensions International [www.newdimensions.net]
Received on Thu Aug 20 09:42:59 1998