Quantcast
Channel: BigBlueBall » ICQ
Viewing all articles
Browse latest Browse all 2

ICQ 6.5 HTML Injection Bug

0
0

ICQThe venerable IM is vulnerable. SecuObs.com reports that popular instant messenger ICQ (“I seek you”), version 6.5 is vulnerable to HTML-injection attack.

What does this mean?

The incoming message window in the vulnerable ICQ client works like a mini web browser. An attacker can try to exploit the vulnerability by sending specially crafted message to the remote ICQ client. The malicious message can contain text data which will be interpreted and displayed in the incoming message window as a HTML code. Potentially an arbitrary HTML code could be injected.

There are two risks that have been identified:

1.  Information disclosure

For example, an attacker can inject <IMG> tag that could lead information disclosure (such as remote client’s IP address, browser version, OS version, etc.)

2.  Spoofing

An attacker can spoof ICQ client software’s system messages, interface elements (buttons, links) in the message window, etc. For example, it could be used for forcing of the ICQ users to click on attacker’s malicious link.

The vulnerability exists in the lastest build of ICQ 6.5, and may affect older versions as well.

As of yet, ICQ has not issued an update to fix this vulnerability. To be safe until they do, I suggest using an alternate, compatible IM client  such as Trillian, Adium, Pidgin or Digsby.

HTML-injection vulnerability exists in official ICQ client software. Incoming message window in the vulnerable ICQ client has a web browser nature. An attacker can try to exploit the vulnerability by sending specially crafted message to the remote ICQ client. The malicious message can contain text data which will be interpreted and displayed in the incoming message window as a HTML code. Potentially an arbitrary HTML code could be injected.
There are two impacts of the vulnerability has been detected:
1.  Information disclosure
For example, an attacker can inject <IMG> tag that could lead information disclosure (such as remote client’s IP address, browser version, OS version, etc.)
2.  Spoofing
An attacker can spoof ICQ client software’s system messages, interface elements (buttons, links) in the message window, etc. For example, it could be used for forcing of the ICQ users to click on attacker’s malicious link.
Maybe other impacts are possible.

Viewing all articles
Browse latest Browse all 2

Latest Images

Trending Articles





Latest Images