Members
  • Total Members: 14197
  • Latest: Levine
Stats
  • Total Posts: 43423
  • Total Topics: 16520
  • Online today: 2635
  • Online ever: 51419
  • (01. January 2010., 10:27:49)
Users Online
Users: 1
Guests: 2618
Total: 2619









Author Topic: Windows Live ID registration could be gamed with bad addresses  (Read 3828 times)

0 Members and 1 Guest are viewing this topic.

Amker

  • SCF Global Moderator
  • *****
  • Posts: 1076
  • KARMA: 22
  • Gender: Male
    • SCforum.info
June 19, 2007 (IDG News Service) -- Microsoft Corp. on Tuesday fixed a bug in its Windows Live ID registration that let users deceptively register a false e-mail address.

The false e-mail address could then be used as an ID for Microsoft's Live Messenger program, which could trick a user into thinking they are chatting with someone who is not whom they appear to be, such as steveballmer@microsoft.nl.

Erik Duindam, a Web developer in Leiderdorp, the Netherlands, reported the problem to Microsoft on Monday. Microsoft acknowledged it had fixed the bug but did not have further information on the flaw's impact.

It's unclear how long the flaw may have existed or how many accounts with deceptive instant messenger IDs could have been created. Duindam said a fake ID he created was still active on Tuesday morning.

If a user attempts to create a Windows Live ID, Microsoft sends a confirmation e-mail to the e-mail address entered by the user. Without confirmation, Microsoft includes a warning with future messages sent by instant message, which appear as: fake@emailaddress (E-mail Address Not Verified).

However, accounts created over the weekend with fake e-mail addresses were still active as of Tuesday and carried no such warning.

"It's heaven for scammers," Duindam said via instant message on Tuesday.

An attacker could use the flaw as part of a social-engineering ploy, where users are tricked into doing something that puts their machine at risk. For example, victims could receive an instant message from someone who appears to have their boss's e-mail address.

At that point, victims could be tricked into thinking they are communicating with their boss. The hacker could then send a link to a malicious Word document, for example, that could install a keystroke logging program on a machine.

"In one swoop, you can become the boss, or human resources or accounts," wrote Chris Boyd, senior research manager with FaceTime Communications Inc., via instant message.

Boyd said if the original spoofed accounts are still active, Microsoft should try to shut them down as soon as possible. But it could be difficult, especially if Microsoft was not aware of the flaw and can't track the spoofed accounts.

SNP
# Online Anti-Malware Scanners: http://scforum.info/index.php/topic,734.0.html

Samker's Computer Forum - SCforum.info


 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.codekids.ba:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Kursevi programiranja za ucenike u Sarajevu

Terms of Use | Privacy Policy | Advertising
TinyPortal 2.3.1 © 2005-2023