| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue Aug 30 12:46:05 2005 From: maciej at soltysiak.com (Maciej Soltysiak) Subject: [UNTRUE] Gadu-Gadu supposedly fixed the invisible detection vulnerability? Hello, === Introduction === Today some services announced that Gadu-Gadu company fixed the vulnerability in their servers that was used by software plugins like "Inwigilator" from the Power Project, et. al. to detect whether a user of the IM program is Unavailable or Invisible. === What is untrue === I am not aware what technique is used by these plugins, but unfortunately or not, it is *still* possible to detect whether the user is invisible using the same old technique I discovered on 23 september 2004 (The article[1] written in Polish is still available and the POC[2] uses libgadu[3]) === Usage === Compiled POC allows you to try to detect the invisible user: # ./gadu <your_uin> <your_password> <victim_uin> gadu_connect: success. Gosciu jest online! gadu_disconnect This shows that <victim_uin> is online. If seems unavailable it means they are invisible. The conditions remain constant: - the victim must have you listed in their address book - the victim must have image messages enabled (that is the minimum size > 0) The vendor was notified on in september 2004. === References === [1] http://soltysiak.com/articles/gg_ir.php [2] http://www.soltysiak.com/gadu.c [3] http://dev.null.pl/ekg/ -- Regards, Maciej Soltysiak
Powered by blists - more mailing lists