Shoutbox

Messenger Plus! 3.x Password Change Security Bypass Vulnerability - Printable Version

-Shoutbox (https://shoutbox.menthix.net)
+-- Forum: MsgHelp Archive (/forumdisplay.php?fid=58)
+--- Forum: Messenger Plus! for Live Messenger (/forumdisplay.php?fid=4)
+---- Forum: WLM Plus! Bug Reports (/forumdisplay.php?fid=7)
+----- Thread: Messenger Plus! 3.x Password Change Security Bypass Vulnerability (/showthread.php?tid=42637)

Messenger Plus! 3.x Password Change Security Bypass Vulnerability by m0fo on 04-12-2005 at 05:59 PM

Title: Messenger Plus Password Change Security Bypass Vulnerability
Risk: Medium
Date: 07.04.2005
Publisher: m0fo (editor at sec.org.il)


For More Details: http://sec.org.il/articles.php?a=187


RE: Messenger Plus! 3.x Password Change Security Bypass Vulnerability by Zephyr on 04-12-2005 at 06:05 PM

I really don't think this is a security risk as the lock for MSN messenger is not something to stop hackers or anything, but to stop users of the same computer from opening your MSN. Also, settings can be saved which save passwords i think, so these can be restored.


RE: Messenger Plus! 3.x Password Change Security Bypass Vulnerability by Patchou on 04-12-2005 at 06:07 PM

yeah I saw that, it's just a bunch of crap which doesn't mean anything... if you're afraid that people are going to steal your MSN password because of Plus!, don't worry, it's not going to happen.. the poster of this article is merely talking about how to deactivate station lock when it's active... talk about a medium risk, he must be working for the Microsoft Anti-Spyware team.


RE: Messenger Plus! 3.x Password Change Security Bypass Vulnerability by Stigmata on 04-12-2005 at 06:15 PM

i saw that he put 'Messenger Plus' as the header, and didnt feel it nessairy to carry on..

edit:
i said MSN Plus not messenger plus
jeez...
wdz you must be kidding me....


RE: Messenger Plus! 3.x Password Change Security Bypass Vulnerability by RaceProUK on 04-12-2005 at 06:27 PM

code:
if (RegOpenKey(HKEY_CURRENT_USER, keyPath, &hKey) == ERROR_SUCCESS) {
        RegDeleteValue(hKey, "DataP");
        RegDeleteValue(hKey, "UDataP");
    }
    RegCloseKey(hKey);
If the password was protecting something important, would it be that easy?
RE: Messenger Plus! 3.x Password Change Security Bypass Vulnerability by Patchou on 04-13-2005 at 05:45 AM

lol.. well, anyone smart enough to delete those registry keys is smart enough to find another way so... :p