Instant Messenger error leaves old buddy lists to new users

From...

by Jennifer Disabatino

(IDG) -- Microsoft is investigating a complaint that expired Hotmail accounts retain the linked MS Instant Messenger buddy lists, and those lists are available to the next person who registers the same e-mail address on a Hotmail account.

Microsoft spokeswoman Leslie Hui acknowledged the company is aware of the problem, but didn't say for how long, or when the access to supposedly expired buddy lists would be closed off.

MESSAGE BOARD Security on the Net     ALSO Security flaw discovered in Network Associates PGP software

The glitch first came to light more than a year ago, when Dmitri Alperovitch, a software developer and part-founder of Encryption Software Inc., left a message at the Bugtraq Web site in which he detailed the programming glitches. He didn't indicate that the possible holes had created any real problems.

Trouble Reported a Year Ago

Alperovitch wrote in an e-mail to Computerworld, "I did not receive any official response from Microsoft" after his Bugtraq post last year.

"I first checked it a year ago because I expected Microsoft to learn from the mistakes that ICQ and other early IM developers have made in regards with security. I was left quite disappointed that they repeated the same mistakes that others have made, in regards to not using any kind of encryption and also tying the service so closely to Hotmail, which has been plagued with all kinds of security problems in the recent months, which could have potentially compromised the security of not only users' e-mails, but also their IM contact lists and messages."

MORE COMPUTING INTELLIGENCE

IDG.net home page

Computerworld's home page

Instant messaging: Valuable tool or distraction?

Flower power: Our top ICQ tips

IETF meeting explores standards

Reviews & in-depth info at IDG.net

E-BusinessWorld

TechInformer

Questions about computers? Let IDG.net's editors help you

Subscribe to IDG.net's free daily newsletter for IT leaders

Search IDG.net in 12 languages

News Radio

Fusion audio primers

Computerworld Minute

"I don't think anybody really knew that contacts wouldn't be cleaned out," said James Nelson, a systems administrator at Cisco Systems Inc. in San Jose. Recently he found out otherwise.

Recycled Accounts

On Aug. 14, Nelson posted a warning at Bugtraq. He wrote that when his account expired after four months of inactivity, he tried to reregister it. Microsoft employees told him his account had never existed, so he registered the same account name from scratch. To his surprise, he wrote on Bugtraq, his old buddy list came up.

Later, he wrote, someone else was using his identity from a different account that he no longer used.

"One day, someone unknown appeared in my contacts' list. Turned out that someone had registered that (by then canceled) account, and had inherited my contacts' list," Nelson wrote in the posting.

"The first time, I thought it was a fluke," Nelson said in a telephone interview. "It's not a huge thing, but it is sort of disturbing."

FreeIM challenges AOL's testimony on instant messaging
August 11, 2000
Aimster file-sharing program runs on AOL's instant messaging
August 11, 2000
AOL excluded from instant messaging standard proposal
August 4, 2000
AOL rivals unify instant messaging
July 26, 2000
Socket is game for instant messaging
June 7, 2000

Security lies behind messaging battles
IT World
IETF meeting explores Web standards
Infoworld
Odigo unites instant messengers
PC World
Hotmail users spreading viruses, ISP says
Computerworld
Security hole knocks Microsoft's Hotmail offline
Infoworld
Flower power: Our top ICQ tips
PC World
IMUnified takes AIM at open messaging
PC World
Instant messaging: Valuable tool or distraction?
Computerworld

Security Focus: home of Bugtraq
MSN Messenger Service product page

Note: Pages will open in a new browser window

External sites are not endorsed by CNN Interactive.