[MUD-Dev] Re: OT: ICQ hacks and exploits

Fri Jun 5 10:09:01 CEST 1998

Interesting.  One wonders whether the much-rumored $300M sale of ICQ to AOL
will change this situation (not to mention exemplifying the business model
of the '90s :-) ). =20

At 09:23 AM 6/5/98 -0700, J C Lawrence wrote:
>
>Due to the number of ICQ users we have here:
>
>Date: 4 Jun 1998 21:49:09 -0000
>From: announce-outgoing at rootshell.com
>Cc: recipient list not shown:  ;
>Subject: [rootshell] Security Bulletin #19
>
>...deletia...
>An archive of this list is available at :
>http://www.rootshell.com/mailinglist-archive
>...deletia...
>
>01. ICQ Hijaak
>- --------------
>
>As of 6/3/98 Mirabilis has disabled the ability to change your password at
>all.  The purpose of this bulletin is to alert all ICQ users of the dangers
>in the ICQ protocol.  Rootshell now has 4 unique exploits for the ICQ
>protocol online at www.rootshell.com.
>
>- --
>
>Date:         Sun, 31 May 1998 16:46:20 -0700
>From:         wumpus at INNOCENT.COM
>Subject:      ICQ Hijaaking.. Is YOUR account safe?
>
>The source code here pretty much says it all.  Mirabilis has been extremely
>negligent in fixing protocol holes, and this allows accounts to be=
 subverted
>with possible leaks of information.
>
>Merely by leaving your ICQ application logged in ( Java _or_ Win32 ) your
>account can be hijaaked (the password changed withoyt knowing the=
 original).
>An attacker can then use that account to obtain information from people
>contacting you, or to do other inappropriate things which would result in
>the account being terminated.
>
>I have given Mirabilis fair warning of this attack, and talked with Arik
>about what was necessary to fix it.  Unfortunately, with the last four
versions
>this has not been put into place.  It would seem the only way to fix such
>grave problems with their protocol is to air it in the public arena.
>
>There are no real workarounds for this problem, although there are some
>obvious workarounds to this exploit (left to the reader).  If you value=
 your
>ICQ account, do not log into it until a fix is available.  Otherwise, you
>can hope no one bothers to hit your UIN --- there are a huge number and you
>might be lucky.
>
>...full source code of exploit deletia...
>
>--=20
>J C Lawrence                               Internet: claw at null.net
>(Contractor)                               Internet: coder at ibm.net
>---------(*)                     Internet: claw at under.engr.sgi.com
>...Honourary Member of Clan McFud -- Teamer's Avenging Monolith...
>
>--=20
>MUD-Dev: Advancing an unrealised future.
>=20
--

Mike Sellers=A0=A0=A0=A0=A0=A0 Chief Creative Officer=A0=A0=A0=A0=A0=A0 The=
 Big Network
mike at bignetwork.com=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0
<http://www.bignetwork.com/>http://www.bignetwork.com

             =A0=A0=A0=A0=A0=A0=A0=A0=A0 Fun=A0=A0 Is=A0=A0 Good =20