From: Dmitri Alperovitch [dmitri@ENCRSOFT.COM]
Sent: Thursday, July 22, 1999 3:41 AM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: First reflections on security of MSN Messenger

Hi.

Having just downloaded and briefly examined the newly released Microsoft's
MSN Messenger,
(Microsoft's alternative to ICQ, AIM and other instant messaging clients) I
must say that Microsoft
has not learn a single thing from serious security design mistakes made by
other instant
messengers.  Here is a list of vulnerabilities that I have found in the
first 30 minutes of using it:

1.  Password (which is the same as your Hotmail e-mail password) and
contact list are stored in
      the Registry (HKEY_CURRENT_USER\Identities).
      They are both stored as ASCII values in a binary field (Does
Microsoft actually believe that
       such amateur trick is going to stop a serious hacker?)

2. The instant messages are sent unencrypted in MIME format.  Curiously,
there is a mention of
      "security software licensed from RSA Data Security, Inc" in the About
box of the application
      and the program is apparently using Crypto API Hash functions for
_something_ but it's unclear
      for which purpose.  It might actually send a password hash, instead
of the real password, in it's
      communication with the server, but I have not been able to check that
yet.

3. The program is using Hotmail as its user base. So, if you do not have a
Hotmail account,
      you apparently cannot use the program until you register one (nice
marketing technique).
      However, this also presents a big security problem.  Hotmail has a
policy to terminate user
      accounts after 120 days of inactivity. So, you might find yourself in
a situation where you've
      been unable to access your Hotmail account for 3 months and someone
else has registered your
      account and is impersonating you on MSN Messenger!

These are only the most noticeable problems that I've discovered by just
examining program's
operation, the registry, and very briefly looking at the packets sent by
the program.  A closer
and more thorough examination of the packet exchange might reveal further
and maybe even
more serious security weaknesses.

Yours truly,


Dmitri Alperovitch
Encryption Software - Developers of TSM for ICQ, an ICQ encryption add-on
http://www.encrsoft.com
dmitri@encrsoft.com