An anonymous subscriber to the BugTraq mailing list has pointed out numerous flaws in Mirabilis’ ICQ personal internet messaging software. The company may be a victim of its own success. Since releasing its ICQ (I Seek You) program in November 1996, Mirabilis has seen users reach nearly 12 million and hits to its web site increase exponentially. In May Hot100.com named Mirabilis the web’s fourth most visited site, behind only Yahoo, Netscape and Microsoft. ICQ was apparently never designed to carry critical or sensitive information, and it shows. Sites such as ICQ Spoofing (http://www.digivill.net/~minus/icq/) now offer multiple tools for cracking ICQ user identification numbers (UINs), including ICQsniff, for reading passwords off a LAN, and ICQFlood, for mailbombing unsuspecting targets. As the discoverer of several flaws in ICQ, posting to BugTraq under the name Wumpus, observes: Mirabilis has been extremely negligent in fixing protocol holes, and this allows accounts to be subverted with possible leaks of information. If users leave their accounts open when they walk away from a computer, for example, hackers can change their passwords, hijacking their accounts and preventing the legitimate users from getting back in. Wumpus says he has given Mirabilis fair warning and that its officials have failed to respond adequately to the threat. Accordingly, he has turned his efforts to the public arena in a bid to draw attention to the security flaws. There are no real workarounds for this problem, he concludes. If you value your ICQ account, do not log into it until a fix is available. Otherwise, you can hope no one bothers to hit your UIN – there are a huge number and you might be lucky.
