Subscribe: Subscribe to BigBlueBallRSSSubscribe to BigBlueBall by emailEmailSubscribe to BigBlueBallTwitter

Browse > Home / Archive by category 'Instant Messaging / ICQ'

ICQ 6.5 HTML Injection Bug

August 19, 2009 by Jeff Hester  
Filed under ICQ

Leave a Comment

ICQThe venerable IM is vulnerable. SecuObs.com reports that popular instant messenger ICQ (”I seek you”), version 6.5 is vulnerable to HTML-injection attack.

What does this mean?

The incoming message window in the vulnerable ICQ client works like a mini web browser. An attacker can try to exploit the vulnerability by sending specially crafted message to the remote ICQ client. The malicious message can contain text data which will be interpreted and displayed in the incoming message window as a HTML code. Potentially an arbitrary HTML code could be injected.

There are two risks that have been identified:

1.  Information disclosure

For example, an attacker can inject <IMG> tag that could lead information disclosure (such as remote client’s IP address, browser version, OS version, etc.)

2.  Spoofing

An attacker can spoof ICQ client software’s system messages, interface elements (buttons, links) in the message window, etc. For example, it could be used for forcing of the ICQ users to click on attacker’s malicious link.

The vulnerability exists in the lastest build of ICQ 6.5, and may affect older versions as well.

As of yet, ICQ has not issued an update to fix this vulnerability. To be safe until they do, I suggest using an alternate, compatible IM client  such as Trillian, Adium, Pidgin or Digsby.

HTML-injection vulnerability exists in official ICQ client software. Incoming message window in the vulnerable ICQ client has a web browser nature. An attacker can try to exploit the vulnerability by sending specially crafted message to the remote ICQ client. The malicious message can contain text data which will be interpreted and displayed in the incoming message window as a HTML code. Potentially an arbitrary HTML code could be injected.
There are two impacts of the vulnerability has been detected:
1.  Information disclosure
For example, an attacker can inject <IMG> tag that could lead information disclosure (such as remote client’s IP address, browser version, OS version, etc.)
2.  Spoofing
An attacker can spoof ICQ client software’s system messages, interface elements (buttons, links) in the message window, etc. For example, it could be used for forcing of the ICQ users to click on attacker’s malicious link.
Maybe other impacts are possible.

Tags: , , ,

Introduction to ICQ

February 7, 2003 by Jeff Hester  
Filed under ICQ, Instant Messaging

Leave a Comment

ICQICQ (pronounced “I seek you”) is the grand-daddy of all instant messaging programs. Yep… Long before MSN or Yahoo, there was ICQ. It may not have been pretty, but if you wanted instant messaging, that’s what you probably used.

ICQ Lite contact listICQ has grown over the years and claims over 100 million users worldwide. More and more features were added to ICQ, and many people avoid it now because of it’s complexity and “feature bloat;” unnecessary and unwanted features. Other loyal fans swear by the little upstart, and continue to use it even though it’s now a part of giant AOL/Time Warner.

You might think that since AIM and ICQ are both owned by AOL that they would together, but sadly, this is not the case. The good news (for ICQ users, at least) is that AOL seems content to let ICQ continue to grow and develop independently of AIM, so you can expect support and updates for at least the foreseeable future.

Good news for ICQ fans! Tired of the giant download and system requirements of the full-blown version of ICQ? Well the good folks at ICQ have felt your pain, and responded with a new, leaner and cleaner version: ICQ Lite! They’ve stripped down a lot of the bells-and-whistles and created a small download with a much cleaner, easier-to-use interface. Bravo!!! You can check out some screen shots here in our ICQ forum.

Tags: