Vulnerability in ICQ allows access to the archive of files transferred via the service.
After the acquisition by Mail.ru of the once popular ICQ messaging service, the method of transferring files between messenger users was changed. If earlier files were sent directly between the sender and the recipient, now the sender uploads the file to the company's server, and the recipient downloads it via a public link. The link to the file is http://files.icq.net/files/get?fileId=XXXXXX and to get access to the file uploaded to the server, you only need to know it, since no measures are taken to restrict access to the file. Since the dynamically generated part of the link consists of only six characters (numbers or English letters in upper case), this makes it possible to gain access to the entire archive of recently transferred files via ICQ through the search method. It is easy to calculate that just over two billion combinations are available in this way.
About the detected data leakage was written by the ntv blogger in his diary on the LiveJournal website. As noted on its page, today a Java program has appeared on the Internet that uses the vulnerability found and randomly generates links in the specified format, after which it tries to download files from the resulting links. From the logs of the program you can see that most of the generated links do not correspond to any files on the server, some of the links lead to too large images or other types of files that the server does not give, but on the part of the links personal photos uploaded by someone via ICQ are returned and pictures.
Among the images received from the server, you can find photos of passports and scans of documents, screenshots of video games and shooting nudes, so what's there, even the seals are there. I think more than one person will be able to find out in the photos from the archive of themselves or their loved ones. It is necessary to assume that the full archive of the received images will soon be available through torrents.
')
As noted by the ntv blogger, the QIP messenger is also subject to this vulnerability, but the links in it are longer and therefore more resistant to brute force. We note that about two years ago, a similar vulnerability was used to gain access to the archive of images transmitted via the Quip photo app for iPhone. As you can see, Mail.ru programmers do not particularly follow such news.
I think that one of the photographs obtained using this vulnerability best describes the current situation.
Upd. The vulnerability was successfully defeated, an error is issued when trying to access. Obviously, the ability to transfer files in the ICQ client is also disabled.
About the detected data leakage was written by the ntv blogger in his diary on the LiveJournal website. As noted on its page, today a Java program has appeared on the Internet that uses the vulnerability found and randomly generates links in the specified format, after which it tries to download files from the resulting links. From the logs of the program you can see that most of the generated links do not correspond to any files on the server, some of the links lead to too large images or other types of files that the server does not give, but on the part of the links personal photos uploaded by someone via ICQ are returned and pictures.
Among the images received from the server, you can find photos of passports and scans of documents, screenshots of video games and shooting nudes, so what's there, even the seals are there. I think more than one person will be able to find out in the photos from the archive of themselves or their loved ones. It is necessary to assume that the full archive of the received images will soon be available through torrents.
')
As noted by the ntv blogger, the QIP messenger is also subject to this vulnerability, but the links in it are longer and therefore more resistant to brute force. We note that about two years ago, a similar vulnerability was used to gain access to the archive of images transmitted via the Quip photo app for iPhone. As you can see, Mail.ru programmers do not particularly follow such news.
I think that one of the photographs obtained using this vulnerability best describes the current situation.
Upd. The vulnerability was successfully defeated, an error is issued when trying to access. Obviously, the ability to transfer files in the ICQ client is also disabled.
Source: https://habr.com/ru/post/165533/
All Articles