Shoutbox

Hello everyone, a while ago I discovered a  discovered a security vulnerability in the software of messenger live plus who is to recover all the pages of chat logs of all users of messenger live plus, for now I want to talk with Patchou of this software and the security measures.

Thank you for helping me to contact Patchou.

I believe the fastest way to contact him would be to send an email to patchou@msgpluslive.net, an address he himself has given out on these forums before.

Thank you man

Chat logs of all users on a computer are stored in My Documents. Can you give more information about the "vulnerability" you found? Thanks.

quote:

---

Originally posted by Patchou
Chat logs of all users on a computer are stored in My Documents. Can you give more information about the "vulnerability" you found? Thanks.

---

I think the OP is refering to the feature "exposing" chat logs on your system to anyone who has access to it. However it is your own responsibility to encrypt the chat logs.

Patchou:
Plus! 5 should ask the user if the computer is shared and force auto encryption on the logs. This will prevent such fake "vulnerability" report.

The pages of chat logs are stored not only in your computer (even if it is already dangerous) but also in the computers of individual users of Messenger  Live Plus, and that's the problem because it only takes a small Peer to Peer software to retrieve them, and I think this is illegal because no one wants to see his conversations read by others.

By that logic Microsoft's own chat logging functionality (or any Messenger client with chat logging for that matter) is "vulnerable" too.

quote:

---

Originally posted by allaoua
because it only takes a small Peer to Peer software to retrieve them

---

Which the user would have to allow to happen locally. The user would need to have his security breached in another way first. This is not a security vulnerability in the Messenger Plus! software. It is the user's job to keep his local files local.

Precisely, that's the problem (in my opinion) is that Messenger Live Plus keeps the chat logs on the client side, client side and as everyone knows is not sure if was by cons server side it will be better and more secure.

And for your information sir, a security vulnerability is anything allowing to have private informations and there are two kinds:

1-passive
2-active

and I think that I downloaded your own pages conversations is not pleasant and it is a passive attack.

I say one thing, Messenger Live Plus is the sole responsibility of this security hole, and MSN only without Messenger Live Plus can never have this problem.

Thank you.

What makes you think chat logs are saver on a server, that's giving control over security away to an unknown party. What if the server gets hacked? Then the hacker in question will have access over all the chat logs instead of just those from a single person. Server-side storage makes it a much bigger target. And we'll still have to download the logs to our local machines to be able to view it, a person with access to the local macine will still be able to "steal" the log files as before.

quote:

---

Originally posted by allaoua
MSN only without Messenger Live Plus can never have this problem.

---

Windows Live Messenger (as MSN is called for years now) has its own chat logging functionallity too, you don't need Messenger Plus! for that. Live Messenger's own chat logging also stores the log files locally. In a way Live Messenger's own logging functionallity is less secure, because Messenger Plus! allows password protected log files, Live Messenger does not.

Ok that is your point of view, but still download the pages of chat logs from other people is still a security hole.

and I will not enter into a conversation about the advantages / disadvantages of client side or server side.

Most me when I try to download the pages of history conversations I managed to have lots of pages, and if I use just a way i can get more efficient, much more, I think I ' I did my duty to alert you and you to see, thank you.