Shoutbox

I already mailed him before, but since I have the idea it didn’t got through I’ve posted it <somewhere> here. (mods please remove that topic).

Its to serious to leave in there, but since I didn’t got response on my mail I decided to give it a little push over here. The post on mess is merely to warn people, since I’ve posted it a lot of people started using the trick (still harmless).

An no, it aint a Hoax, we’ve tried several things (on our selves) and all could ended up with disastrous results..

What?!?!? what is the meaning of the joke? There is absolutely nothing to be worried about and there's nothing to fix. I never got any mail from Timothy about this, else, I would have replied the same thing I'm going to reply now. Here is what they seem to be talking about:

Let's say your contact's name is a link to a file on the internet.
Now let's say that for some extraordinary dumb reason you decide to try to excuse the "/run (!N)" command.
Now that you've done that, let's say that you accept the security warning displayed by Internet Explorer.
... damn, you just downloaded a file from the internet that could be dangerous .

This "security alert" posted on mess.be should be simply deleted. If you use the /run command, you're aware that you're executing something I think and, if for some reason, you're using it with some tags, I would tend to think that you know what you're doing, don't you think?

quote:

---

I already mailed him before,

---

Read the post bitte, I allready mailed you 2 days ago,

But, the reason Im concerned about is that people use this to trick other people. Ill PM you with the full details patchou, and Ill remove the post from mess.be,

I never got any mail from you Tim, that's unfortunate . Well, if we're talking about the same thing, at least I'm sure that there's nothing to worry about. As I sais in my previous post, even if the user did some kind of copy past, he would still have to select Open and accept the security warning displayed by Internet Explorer. I see no problem here. Any program allows you to run something, at least from an explorer file selection window. That's not a security problem, that's just a fact .

Note: if I'm missing something, please let me know. I still see no difference with sending a link to a user and asking him to click on it. I can't be held responsible if a user follows instructions given by someone, anythign could be done by any software in that case. A security problem would be that Plus! automatically downloads and executes the program, which it doesn't do.

I PM-ed you, it has nothing to do with downloading of files, its about executing remote commands on some-one else’s computer, all posts and messages about it are removed

And sorry about the big media attention, but when the message doesn’t get through I use the "hard" way to put it to the attention.

If you PMed me you should have gotten a message from the forum saying that I rarely reply to PMs as I receive too many, sorry about that . As for executing remote commands, I see what you mean, but there's nothing harmful that could be done this way. If a user types (!N) alone after being asked by someone that has "/nick Sadam" as name and wonders why his name because Sadam, it's not the end of the world . Again, the same user could ask the same guy to download a file and execute it, which woud be far more dangerous.

yeah, but the /run command also executes from a nick....

And people are "dumb" enough to type (!N) if you ask them without questioning why,

Hm, I'm starting to see the point. It is rather social engineering If I'm not wrong. But it's very likely to happen to many people who don't know about what dangerous files they may accept or whan certain commands can do.

Maybe /run command should prompt before running exe's, com's, bat's, scr's or pif's.

quote:

---

Originally posted by timothy
And people are "dumb" enough to type (!N) if you ask them without questioning why,

---

Sadly true...

The problem is, those programs are allready on the other user`s computer, system tools etc. And now it just executes without a warning this way,

Patchou, i agree that changing someone elses nick isnt exactly 'dangerous', But all of the Messenger Plus! commands are available to these people to use - people wanted to find a way of getting an IP over messenger, now they have it.
However as timothy stated before: if someone has "/run application" in there name, typing (!N) will execute the run command (without the end user needing to type /run) and some people really are stupid enough to do this - believe me.
For example, if someone sets there name as "/nick ~~~(!IP)~~~~" its not so likley that the user (remember - not all messenger users are as smart as the people here) will recognise it as being malicious.

Is there not a way that you can filter out the (!N) command from executing any other commands, this would solve the problem.

Just my .02, you can choose what you want to do with Plus!, it is your extension after all. I just thaught that you may want to keep your users more secure from a potentially large security hole.