« Get the 2006-04-09 issue of CyTRAP.org/RiskIT ==> EU IST News (ISSN 1600-1869)
CASEScontact.org advisory - Patch Tuesday - Microsoft security patches - what is in it for you »

Social engineering - MSN Messenger - Yahoo Messenger - for users this summer it gets worse …

Messaging is being used ever more often at work as well as at home to communicate with friends, associates and strangers. But what about the security?

Well, maybe if you use MSN Messenger, you should try this during a chat session. Ask your buddy to allow you to send her a file. During this process one uses the netstat -an command. This command tells the user the address the file is being transferred to. This works if your buddy is not using a proxy. The command required is exedcuted as follows:

  1. click on start ==> then click on run ==> thereafter type: cmd.exe
  2. at the command prompt type: netstat -an

The above method works for MSN Messenger. If you want the IP of a user on Yahoo Messenger, all you do is add a user to your list with social engineering techniques, then you listen on port 5101 and send the victim a normal instant message. Yahoo compromises security in that way by attempting to establish a peer to peer connection between consumer clients, to save on server useage. Yahoo does not appear to care how easy it is to obtain a users IP by simply sending someone an instant message. Yahoo claims that the fact you need to add each other to a friends list first is good enough security to protect users.

So what good does this do?

Getting a person on your messenger list and sending them an attachment or file via the network will allow you to get their IP address. Even corporate users are rarely behind a proxy. If you want a non-proxy IP from a corporate user, messenger is the application they very rarely use with their corporate proxy.

Is this a security threat?

By adding an individual to one’s messenger buddy list, a potential attacker has (see above command) obtained the IP address of a major dot-com. A hacker can target several machines at your firm’s ends or ISP with this information. Yahoo Messenger at no time alerts its users, ‘do you want to p2p message with this buddy?’.
Instead this just secretly happens in the background. Only technical users are aware of this vulnerability.
Having a non-proxy IP address from a major corporate is great for a hacker that wants to explore things or use a botnet.
Conclusion

For quite some time, the Yahoo messenger protocol has been easy as chips to hack, to obtain cookies, disconnect users from the network etc.

This summer, however, Microsoft Messenger and Yahoo Messenger are about to link their networks giving users across network compatability.

What makes it also worse is that some companies, such as Yahoo backyard host names, all have the corporate ID of the person who uses the computer on their hostname. For instance, Yahoo uses:

  • corpid.corp.yahoo.com

As a result the potentially malicious user knows

  1. the corporate login of the user,
  2. the real name of the user and
  3. the corporate e-mail of the user

Most certainly, Yahoo is not the only enterprise doing this is it?

=======>

PS1. You need a direct connection to the Internet to use the netstat trick: accordingly, DSL modem or a dialup modem that gives your machine the WAN IP - then this will work.

PS2. Jeremy Zawodny’s blog continues to have juicy stuff about Yahoo and MS Messenger as well as Trillian software (too bad I cannot get his postings via e-mail for convenience’s sake).

=======>

_EFFICIENCY

Since 2000 we have been providing alerts, tips, tricks, white papers and legal briefs for people like yourself. Why not save yourself some time, provide us with your e-mail address and get better information sent to your in-box in upcoming weeks?

Your email:  
subscribe unsubscribe  

Technorati , , , , , , , , ,

This entry was posted on Tuesday, April 11th, 2006 at 6:38 and is filed under commonly used - vulnerabilities, commonly used - threats, Microsoft, crime, IM-VoIP. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

2 Responses to “Social engineering - MSN Messenger - Yahoo Messenger - for users this summer it gets worse …”

  1. Alex Says:
    May 20th, 2007 at 21:01

    Hi,
    I am a Yahoo!/MSN Messenger user and I am interested about these security problems, but.. I have another problem too; I am a “newbie” and I don’t perfectly understand this “synthetic” comment:
    “If you want the IP of a user on Yahoo Messenger, all you do is (…) LISTEN ON PORT 5101 and send the victim a normal instant message.
    “Listen on port 5101″?
    How I can to do it?
    I must type Netstan -an on command prompt and/or I need to use a packet sniffer?
    I need an explanation “step by step” if you want to help me:-)

    Thanks, and sorry for my “stupid” ask.

  2. Urs E. Gattiker, Ph.D. Says:
    May 23rd, 2007 at 12:27

    Dear Alex

    Thanks for this comment more than a year after the original post.

    Unless you have direct internet access with an IP address otherwise it will not work. Moreover things have changed since 2006 and it is not clear to me why you want to do this….

    And as a newbie you should probably not do this….. But I hope you have subscribed.

    Also, GAIM (allows chatting with Yahoo, GTalk, etc.) and WengoPhone (VoIP integrates Gaim) are your best option. Install one of the two and you will be better off, particulary as far as security is concerned.

    Getting Gaim = safer Instant Messaging

    - Getting WengoPhone = integrates Gaim and is safer than Skype

    Ciao
    Urs

Leave a Reply

What's a blog without spam? WP-Hashcash.