Skip to main content /TECH with IDG.net
CNN.com /TECH
MAIN PAGE
WORLD
U.S.
WEATHER
BUSINESS
SPORTS
POLITICS
LAW
SCI-TECH
SPACE
HEALTH
ENTERTAINMENT
TRAVEL
EDUCATION
IN-DEPTH

VIDEO
LOCAL
CNN NEWSWATCH
E-MAIL SERVICES
CNNtoGO
ABOUT US/HELP

CNN TV
what's on
show transcripts
CNN Headline News
CNN International
askCNN

EDITIONS
CNN.com Asia
CNN.com Europe
CNNenEspanol.com
CNNArabic.com
set your edition





Microsoft: Messenger flaw can expose user data

From...
 itworld.com
graphic

By Sam Costello

(IDG) -- Microsoft has confirmed that its instant messaging programs -- MSN Messenger and the Windows Messenger, included with the company's Windows XP operating system -- can allow users' names and e-mail addresses, as well as those of their chat buddies, to be viewed.

The issue was first mentioned in an alert posted to the Bugtraq security e-mail list on February 2.

The flaw, which was discovered by Richard Anthony Burton, allows a Javascript placed on a Web page visited by MSN Messenger users to obtain a user's display name for the chat program, as well as the names of all their contacts in the program, he wrote. This could allow many people's real names to be harvested by malicious Web sites, he said. If no display name is set in the program, the Javascript will obtain the user's e-mail address instead, according to Burton.

IDG.net INFOCENTER
IDG.net
Features
Visit an IDG site


IDG.net search



Some Web sites owned by Microsoft are able to access the e-mail addresses of users and all their contacts, Burton wrote. The technique used by these sites to monitor user visits could also be used by other Web sites, if users downloaded software that changed their computer settings slightly to allow the monitoring, he wrote. Such a change might be made without warning the user, he added.

In Burton's test, the bug affects MSN Messenger 4.60073 on Windows 2000 using Internet Explorer 6 and the same versions of Windows Messenger and Internet Explorer on Windows XP.

The flaw, which a Microsoft spokeswoman acknowledged Friday to be present, exists as part of a feature designed to allow Messenger users to be notified when they've received new e-mail in their Hotmail accounts, and to see if the person who has sent an e-mail to those accounts is online with Messenger.

Although Microsoft is treating the flaw as low-risk, it will release a new version of the Messenger products that addresses the issue early this week, the spokeswoman said. Users will be notified that a new version is available and will be prompted to download it, the spokeswoman said.

Concerned users can go to the MSN Messenger support Web site for information about the issue and steps they can take to protect themselves, the spokeswoman said.

That page is located at http://messenger.msn.com/support/status.asp.


 
 
 
 


RELATED STORIES:
• Security hole found in AOL Instant Messenger
January 2, 2002

RELATED IDG.net STORIES:
• MSN Messenger flaw can disclose user data
(IDG.net)
• MSN offers portal, Hotmail for mobile users
(IDG.net)
• Software lets IT managers monitor instant messaging
(InfoWorld.com)
• Suggested AIM fix features security flaw
(PCWorld.com)
• AIM adds AT&T Wireless users to buddy list
(IDG.net)
• Security flaw found in ICQ
(PCWorld.com)
• Instant messaging hacker tool poses a threat
(PCWorld.com)
• Must-have Internet apps
(PCWorld.com)

RELATED SITES:
• Microsoft, Corp.

Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.


TECHNOLOGY TOP STORIES:
• Report: SUVs pose danger to cars
• New telemarketer tool trumps TeleZapper
• Terra Lycos logs $2.2B loss
• AOL to offer song downloads
• Microsoft seeks fiscal fountain of youth

(More)

 Search   

Back to the top
© 2003 Cable News Network LP, LLLP.
A Time Warner Company. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines. Contact us.