• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

Microsoft MSN ActiveX Object Information Disclosure Vulnerability

Microsoft's MSN Messenger is a popular instant messenger application for the Window's family of operating systems. It is based on the Passport system, and users are uniquely identified by an email address.

Some versions of MSN Messenger expose the current user's display name and contact list through an ActiveX control available to arbitrary javascript programs. In the absense of a display name, the user's email address is revealed. Malicious web pages may use this to gather personal information or track a user through multiple domains.

Additional information is available to trusted domains stored in the registry. By default, no domains are defined here, although several Microsoft sites are trusted regardless.