lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1423848914.20050830124533@soltysiak.com>
Date: Tue, 30 Aug 2005 12:45:33 +0200
From: Maciej Soltysiak <maciej@...tysiak.com>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: [UNTRUE] Gadu-Gadu supposedly fixed the invisible
	detection vulnerability?


Hello,

=== Introduction ===
Today some services announced that Gadu-Gadu company fixed the
vulnerability in their servers that was used by software plugins
like "Inwigilator" from the Power Project, et. al. to detect
whether a user of the IM program is Unavailable or Invisible.

=== What is untrue ===
I am not aware what technique is used by these plugins, but
unfortunately or not, it is *still* possible to detect
whether the user is invisible using the same old technique
I discovered on 23 september 2004 (The article[1] written in Polish
is still available and the POC[2] uses libgadu[3])

=== Usage ===
Compiled POC allows you to try to detect the invisible user:

# ./gadu <your_uin> <your_password> <victim_uin>
gadu_connect: success.
Gosciu jest online!
gadu_disconnect

This shows that <victim_uin> is online. If seems unavailable
it means they are invisible.

The conditions remain constant:
- the victim must have you listed in their address book
- the victim must have image messages enabled (that is the
minimum size > 0)

The vendor was notified on in september 2004.

=== References ===
[1] http://soltysiak.com/articles/gg_ir.php
[2] http://www.soltysiak.com/gadu.c
[3] http://dev.null.pl/ekg/

--
Regards,
Maciej Soltysiak


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ