Adium

Opened 14 years ago

Closed 14 years ago

Last modified 12 years ago

#3740 closed defect (cantreproduce)

ICQ discloses IP addresses

Reported by: anthonykinyon@safe-mail.net Owned by: nobody
Milestone: Component: Service/ICQ
Version: Severity: major
Keywords: IP address, security, attack, vulnerability, disclosure Cc: anthonykinyon@…
Patch Status:

Description

Logging onto ICQ discloses the user's IP address publicly to other ICQ/AIM users (using other clients, at least, such as Trillian and probably others like GAIM etc.)

An attacker could use this to launch an attack such as a denial of service, etc. There should be an option to restrict disclosure of the user's IP address. The official ICQ client has or used to have this option within it. I think it still does.

Change History (12)

comment:1 Changed 14 years ago by anonymous

That is hardly a security problem. Sorry to state the obvious, but using file transfer, Direct IM (AIM) and other services will disclose your IP anyway, there is no way around that.

If you've kept your firewall enabled, this should be a non-issue. Home users have dynamic IPs so, if there is a denial of service attack that your ISP fails to catch, just unplug the modem to get a new random IP.

comment:2 Changed 14 years ago by timothybradshaw@…

To anonymous who posted the last message prior to this one. I *completely disagree* with your assessment. The original post from the submitter was, in fact, correct. This IS, in fact, a security threat. If you do file transfer with people you trust that's one thing, and why would you share files with people you don't know/trust anyway? But to strangers your IP address should *never* be disclosed. This is a serious security vulnerability and needs to be fixed promptly in the next release.

comment:3 Changed 14 years ago by anonymous (same as above)

"But to strangers your IP address should *never* be disclosed."

All a stranger has to do is to convince you to send an email or simply to load their website (or only an image from their website, like an avatar on a forum you trust) and they will get your IP address.

There is no reason why knowing someone's IP address should be treated as highly important. An IP address is just another random number that you get the chance to use for a few hours. It does not allow an attacker to get personal information and any half-decent firewall (including the built-in one) will block possible attacks. This doesn't even qualify as a disclosure of sensitive information, which is one of the lowest-rated categories of vulnerabilities.

comment:4 Changed 14 years ago by Timothybradshaw@…

That's true of any IM. But not all people are that gullible/trusting. The IP should not be displayed by default, end of story, just by seeing someone online.

comment:5 Changed 14 years ago by anonymous

Strongly agree that IP should NOT be displayed just by signing onto ICQ or any other service like this. Needs to be fixed in next release.

comment:6 Changed 14 years ago by David Smith

Milestone: Adium X 1.0
Resolution: fixed
Status: newclosed

This is most likely a libgaim issue, and therefor fixed by joscar.

comment:7 in reply to:  6 Changed 14 years ago by adium

Resolution: fixed
Status: closedreopened

Replying to catfish_man:

This is most likely a libgaim issue, and therefor fixed by joscar.

Not fixed yet. 1.0b11 can't see IP addresses for some reason (it looks like it isn't reading ICQ profiles properly, which is a separate issue), but a copy of Gaim logged into a different ICQ account on a separate machine can still see the IP.

Other clients don't seem to have this problem.

comment:8 Changed 14 years ago by adium

Correction: There appears to be some hidden state in my old ICQ account that's making this happen. A fresh account works as expected. This is still non-optimal, but perhaps it'll help things...

comment:9 Changed 14 years ago by Chris Forsythe

Summary: Security problem with AdiumXICQ discloses IP addresses

Have you tried logging into the official client with your original account and seeing if there is an option to not disclose this?

comment:10 Changed 14 years ago by Chris Forsythe

Milestone: Adium X 1.0Needs feedback from users

comment:11 Changed 14 years ago by Eric Richie

Resolution: worksforme
Status: reopenedclosed

No response from user.

comment:12 Changed 12 years ago by Robert

Milestone: Needs feedback from users
Note: See TracTickets for help on using tickets.