ICQ Insecurities (ICQ users please read)

Christian Boylove Forum

ICQ Insecurities (ICQ users please read)

Submitted by N0M4D on March 14 2001 13:51:33

ICQ is much more insecure than I had first imagined, and poses a very real threat to users. My appologies for soliciting contact over the board- however well intentioned it was.

I consider myself to be a pretty security minded individual- in technology as well as just in general privacy. When I first joined BoyChat I had heard stories about how insecure ICQ was, so when people asked to exchange ICQ numbers I told them I'd rather not use it. Well, after a while I gave in to the 'pressure' to install ICQ so that I could chat with the majority of the BC posters I was meeting. The ICQ chat client has always been dangerous by reputation- but I thought if I used a proxy it wouldn't matter if people revealed the proxy.

I assumed that setup would be good enough to make my number public but I didn't really test it because in theory it was completely secure. Then recently I was asked how to set up ICQ so that it would be secure enough to use for a project that needed a public number. After thinking about it, I just gave them the same information that I had used to set up my client and felt that they were secure. But I have always held other people's security higher than even my own, and decided that I had to test things out to be sure I was really providing a secure system for them to use.

As I was doing a little more research I came across quite a few programs that really concerned me, and earlier today I tested them. What I found was very surprising. Not only does ICQ fail to provide minimal security for your external IP, it also freely distributes your internal IP (if your behind a firewall) and allows anyone to bypass the authorization and add you to their ICQ list immediately- and you have no way to block them except to stay in Invisible mode. Luckily, it seems even if they override authorization it will notify you who added you to their list.

This kind of insecurity combined with most users' habits of using the same nick and email for their ICQ account is VERY compromising. With easy to find programs, any CA out there could track down many users' IPs, which then could lead to their general location or even places of work.

There are also a wealth of programs that deal in spoofing UINs- taking over another person's account and appearing on ICQ as if you were them. I haven't found any that seem to work for me but there's a very good chance that at least one of them does work. That insecurity would allow a CA who had figured out two or more UINs to leave messages on ICQ as if they actually were another poster.

So what does this mean to you? If you don't use ICQ to chat: nothing. If you do: ANYONE who has you on their contact list can find your IP when you are on! It is VERY important that you TRUST *EVERY* person you give your ICQ number to. Your basically trusting them to respect your privacy and protect your security.

If you use ICQ with a different nickname and email address than you do here, your probably safe from people you don't know finding you. Yet, if you have used the same nick or email addy both places- then you are IN DANGER of unknown users (trolls or otherwise) finding your IP without your permission- since authorization can be bypassed and anyone can put you on their contact list!

This isn't a chain mail spouting myths just designed to scare you into forwarding the email or attempting to create hysteria. I have seen what these programs can do myself, and I have verified it with Tootles this afternoon that they are accurate and functional. PLEASE take this post seriously. If you use ICQ you must make sure that you keep your number private, and that you don't use the same nick or email address on both the board and in ICQ Details! IF YOU HAVE BEEN, YOU SHOULD SERIOUSLY CONSIDER GETTING A NEW NUMBER. It's a pain, but your security and privacy as a poster is a very important matter.

If you want, you can even leave the email address and nick name options blank in ICQ. When people add you with just your ICQ number, they can put your nick name in themselves. That way you won't come up if someone is searching for you by the ICQ directory.

In addition, anyone who runs the 99 or 98 versions of ICQ are susceptible to a security flaw that can allow anyone on the internet to download files right from your computer without you knowing. This is particularly dangerous if your number is known. A person can figure out your IP, and then download any file they want from you. It does this by exploiting a built in "mini-web server" in those versions. To disable this, go to

Lastly, I apologize for posting my own ICQ number so publicly. It very well could have encouraged other posters who know or trust me to be less cautious with their own number. I will be changing my number shortly, to prevent my own insecurity- but those who have questions or want to ICQ with me can still email me at N0M4D@mail.com ... I hope this info helps you all!

Peace,
TH3 N0M4D

Follow ups:

Some things I've found out.. - N0M4D March 15 2001 00:40:04 (2)
- thanks - F.O.D. March 16 2001 09:03:18 (0)
- Personal security - Dirk Gently March 15 2001 22:33:28 (0)

Post a follow up message:

Username:		Password:
Email (optional):
Subject:

Link URL:
Link Title: