Microsoft reportedly designed its Messenger software so that it could identify Internet Explorer users on its web sites. Of course, this identification takes place surreptitiously, without the user’s knowledge or consent. Predictably, the future can be potentially abused by anyone with access to a web server.
According to Richard Burton in a post to the BugTraq mailing list, the Messenger feature allows anyone to obtain a user’s Messenger username and the usernames of all the individuals in his contact list. And if the usernames aren’t available, Messenger conveniently displays the email addresses of the user and his contacts instead. Burton has published a demonstration of the privacy breach.
All that’s needed to display the usernames and email addresses is for an invasive piece of software—such as one of the many spyware variants—to make a registry entry on the victim’s computer. Specifically, adding the simple entries of “.com” “.net” and “.org” to the HKEY_LOCAL_MACHINESOFTWAREMicrosoftMessengerServicePoliciesSuffixes would allow virtually any web server on the net to identify you and your contacts by your Messenger usernames and email addresses.
And just what does Microsoft do with this information? It’s hardly a stretch to assume that Microsoft shares this user identification information with the advertisers that appear in the lower panel of Messenger.
The preliminary solution appears to be to use a browser other than Internet Explorer.
0 responses. Comments closed for this article.