It’s common knowledge that Microsoft Windows Live Messenger is one of the most insecure instant messengers out there, since its communication protocol doesn’t use any kind of encryption.
Today, while I was working on my pet honeypot project, I found out that it also leaks users’ public IP addresses when they exchange links during their conversations.
So, let’s say you type in www.example.com/something/test.php and press Enter to send it to your conversation partner. The moment you do that, WLM without any warning will open a connection to the aforementioned host and send a HEAD HTTP request, thous exposing your public IP address.
HEAD /test/something.php HTTP/1.1 User-Agent: Windows-Live-Social-Object-Extractor-Engine/1.0 Host: www.example.com Content-Length: 0 Cache-Control: no-cache
Someone could say “So? What’s the big deal?”. Sure, if you’re exchanging links to YouTube and Facebook, it’s not a big deal -probably no one gives a fuck for the videos you’re watching or the people you’re stalking. On the other hand, things like that might expose your identity, if let’s say, you browse a host through a darknet like TOR or I2P, and decide (without giving it much thought) to share a link to that host through Windows Live Messenger.
…Of course there are not many chances that you’re using TOR/I2P while using WLM for your instant messaging.Β 
