5 February 2002 A new security flaw has been found in Microsoft’s instant messaging software that could be used to identify individual users and their friends.
The ‘privacy hole’ affects Microsoft’s free MSN Messenger software, which enables communities of users to “chat” on the Internet. The software is built in to Microsoft’s Windows XP operating system and integrated with the Outlook 6.0 email client.
According to reports, Microsoft is able to access user data and the details of the user’s instant messaging peers, when a computer running MSN Messenger accesses a Microsoft site.
However, the program directory that enables this can also be easily accessed and edited by other software running on the user’s computer. For example, the registry can be edited so that all websites with a ‘.com’ or ‘.org’ suffix can view all user details.
The revelation will re-ignite debate about Internet privacy, as well as the power and control that Microsoft enjoys in the computer industry. Windows XP has been criticised as “nag-ware”, for badgering users into signing up to various disparate Microsoft applications in a bid to shut out competitors, such as Real Networks and America Online (AOL).
Instant messaging applications have become the latest weapons in an on-going war for Internet-users between Microsoft and AOL companies. The programs have gained popularity with users in recent years and form one of the central planks of these companies’ Internet strategies.
For example, Microsoft has used the popularity of its MSN Messenger to boost the numbers of users with an assigned .Net Passport – the authentication system for Microsoft’s .Net platform, and the method in which Messenger users log on to the service.
Microsoft hopes to use .NET Passport as an Internet user’s main access point to products and services on the Web. Similarly, AOL has joined the Liberty Alliance, a loose alliance of hi-tech companies led by Sun Microsystems, to provide an independent authentication system as the basis for its own online services.
However, analysts and security experts have criticised the Passport authentication system as insecure because it relies only on an email address and password.
For a demonstration of the flaw, please click here.