[icq-devel] security flaw



Daniel Tan datan at seas.upenn.edu
Mon Apr 8 03:00:41 CEST 2002


it's been known for about a year.
there are a couple of publicly released programs that make use of it

http://www.spacoom.net/dfm/DFM.exe [not sure if still up]
http://scorpius.spaceports.com/~ddt/invisible.html




Massimo Melina wrote:
> 
> cut&paste of a piece of my reply to the icq support team
> 
> IO> We apologize but currently such an option is unavailable.
> 
> what option?
> it  was  not  a question but a statement. icq servers let other people
> know  if  i'm online, also in invisible mode, cause of a security flaw
> in  the  protocol. that is, everyone is able to know if another UIN is
> really online, also in invisible mode.
> 
> Of  course  ICQ  client  doesn't say it, but with other software it is
> possible. But no additional software is really needed, for an advanced
> user, only watch data exchanged with the server.
> 
> I hope this security flaw will be fixed, and i'm available to explain
> better if you need it. Please, is an important privacy matter.
> 
> --
> Massimo Melina
> 
> -------------------------------------------------
> icq-devel - The forum for ICQ protocol discussion
> For unsubscribe and other mailing list info, see:
> http://www.d.kth.se/~d95-mih/icq/icq-devel/



More information about the icq-devel mailing list