Update:
05/Feb/2002 - More info on affected and not affected platforms and cross
scripting. Plus a workaround!
If you are running MSN messenger (and have
JavaScript enabled) you should see your name displayed below, along with a list
of all your contacts. Note: this has been tested on MSN Messenger (4.6.0073)
for Win2k & Windows Messenger (4.6.0073) for WinXP (all with IE
6).
If this page was hosted on microsoft.com, hotmail.com or
hotmail.msn.com you would also see your email address and your contacts email
addresses (instead of "undefined").
This information could be placed in
a cookie and next time you request an item from the server (page, image, etc.),
this information would be sent back to the server, allowing Microsoft to know
who you are and who your friends are.
By default, everyone has access to
your display name and those of your contacts, but only Microsoft can get your
email address this way. However third parties could get access to the email
addresses, by simply adding a single entry to your registry. That would require
a little more effort, but is easily done. e.g. Installing software which
contains "spyware" or "adware" (such as Kazaa, Go!Zilla, Direct Connect, etc.*),
could easily add such an entry to your registry. After that you could be sending
your email address to them every time your computer loads an advertising banner
from their site.
To demonstrate what this would look like from a
Microsoft server, or to a third party after placing a registry entry on your
computer add the following to your registry (or run this
file) and reload this page: In key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MessengerService\Policies\Suffixes (you
may need to create the Suffixes key) Add String: "Suffix0", Value:
"raburton.members.easyspace.com" Note: this value doesn't have to be a
complete host name, adding just "com" would open your contact list to any .com
website.
It seems that only Internet Explorer as your browser is affected. Netscape,
Mozilla, etc. are not affected.
If you use Trillian instead of Messenger you are not affected. It's Messenger
software at fault, not the service.
Users of earlier versions of Messenger (e.g. 3.6) are at very high risk as it
will give out email addresses to any website, not just ones with the correct
suffix.
Cross Scripting - Making code execute from a page which was delivered
from another server. Make that a microsoft.com server and you have full access
to messenger! Demo This is
basic, incomplete and flawed (more details on the page), but it starts to
demonstrate the potential
Work-around - In your Internet Explorer settings you can choose "Security
" tab. Select "Internet", choose "Custom Level" button.
Set "Script ActiveX controls marked safe for scripting" to "Disable". Note: This also prevents things like WindowsUpdate running, and probably
others too.
Alternate version of suffix0.reg
here for users of older versions of windows. Sent by a site visitor - thanks!