January 12, 2013 at 08:39Vulnerability in ICQ allows access to the archive of files transferred through the service
After the acquisition by Mail.ru of the once-popular ICQ messaging service, the method of transferring files between messenger users was changed. If earlier files were sent directly between the sender and the recipient, now the sender uploads the file to the company’s server, and the recipient downloads it via a public link. The link to the file is of the form http://files.icq.net/files/get?fileId=XXXXXXand to gain access to the file uploaded to the server, you only need to know it, since no measures are taken to limit access to the file. Since the dynamically generated part of the link consists of only six characters (numbers or English letters in upper case), this makes it possible to gain access to the entire archive of files transferred recently through ICQ by brute force. It’s easy to calculate that just over two billion combinations are available this way.
I wrote about a detected data leakntv blogger in his diary on LiveJournal website. As noted on his page, a program in Java has appeared on the Internet today that uses the vulnerability found and randomly generates links in the specified format, after which it tries to download files from the resulting links. It can be seen from the logs of the running program that most of the generated links do not correspond to any files on the server, some of the links lead to too large images or files of other types that the server does not give, but some of the links return personal photos uploaded by someone earlier via ICQ and pictures.
Among the images received from the server, you can find photos of passports and scans of documents, screenshots of video games and shooting of nudity, but what is there, even the cats are. I think that not one person will be able to recognize himself or his relatives in photographs from the archive. It is worth suggesting that a complete archive of the received images will soon be available through torrents.
As the ntv blogger notes, the QIP messenger is also susceptible to this vulnerability, however, the links are longer in it, which means they are more resistant to sorting. We note that about two years ago, a similar vulnerability was used to gain access to the archive of images transmitted through the Quip photo application for an iPhone. As you can see, Mail.ru programmers do not particularly follow such news.
I think that one of the photographs obtained using this vulnerability will best describe the current situation.
Upd. Vulnerability was successfully defeated, an error is issued when trying to access. Obviously, the ability to transfer files in the ICQ client has also been disabled.
I wrote about a detected data leakntv blogger in his diary on LiveJournal website. As noted on his page, a program in Java has appeared on the Internet today that uses the vulnerability found and randomly generates links in the specified format, after which it tries to download files from the resulting links. It can be seen from the logs of the running program that most of the generated links do not correspond to any files on the server, some of the links lead to too large images or files of other types that the server does not give, but some of the links return personal photos uploaded by someone earlier via ICQ and pictures.
Among the images received from the server, you can find photos of passports and scans of documents, screenshots of video games and shooting of nudity, but what is there, even the cats are. I think that not one person will be able to recognize himself or his relatives in photographs from the archive. It is worth suggesting that a complete archive of the received images will soon be available through torrents.
As the ntv blogger notes, the QIP messenger is also susceptible to this vulnerability, however, the links are longer in it, which means they are more resistant to sorting. We note that about two years ago, a similar vulnerability was used to gain access to the archive of images transmitted through the Quip photo application for an iPhone. As you can see, Mail.ru programmers do not particularly follow such news.
I think that one of the photographs obtained using this vulnerability will best describe the current situation.
Upd. Vulnerability was successfully defeated, an error is issued when trying to access. Obviously, the ability to transfer files in the ICQ client has also been disabled.