It’s common knowledge that Microsoft Windows Live Messenger is one of the most insecure instant messengers out there, since its communication protocol doesn’t use any kind of encryption.
Today, while I was working on my pet honeypot project, I found out that it also leaks users’ public IP addresses when they exchange links during their conversations.
[2/12/2010: It seems that Facebook developers changed the structure of chat messages, so the data filtering/extraction methods are pretty much useless now. Will update the code some time soon.]
Not long ago, I demonstrated at my university’s IEEE branch’s event a live man-in-the-middle attack and eavesdropped on Facebook chat conversations and gained access to a student’s Facebook account by stealing cookies over the network. Since I didn’t have much time to prepare for that presentation, the code I wrote was pretty sloppy and missed some of the messages exchanged.
Tonight, I took some time to rewrite it and fixed few bugs. Now it doesn’t miss anything, even if someone is flooding the conversation with a burst of messages.
