Session Hijacking Vulnerability Identified in ICQ

Serious cross-site scripting (XSS) vulnerabilities that could be exploited to hijack people's accounts have been identified in the ICQ website and instant messaging application.

The vulnerabilities were discovered by Levent Kayan, an Armenian security researcher who recently found a similar flaw in Skype.

"ICQ.com suffers from a persistent Cross-Site Scripting vulnerability due to a lack of input validation and output sanitization of the 'feeds' entry. Other input fields may also be affected," the researcher warns in his advisory.

The persistent nature of the flaw means that attackers can create pages which execute malicious code when users visit them.

The vulnerability can easily be exploited to steal session cookies and hijack people's accounts and a similar XSS weakness was located in the profile entries of the actual ICQ application.

"An attacker could trivially hijack session IDs of remote users and leverage the vulnerability to increase the attack vector to the underlying software and operating system of the victim," the researcher writes.

ICQ is particularly popular Eastern Europe and Russia. It was sold by AOL to Russian investment firm Digital Sky Technologies in April 2010. According to H Security, ICQ developers are aware of these security issues and are working to resolve them.

Cross-site scripting is one of the most common type of vulnerabilities found on the Internet. They are usually located in websites, but since many instant messaging applications are using HTML layouts, they can also be vulnerable.

There are several types of XSS weaknesses, with reflected being the least serious and persistent being the most dangerous ones. Reflected XSS flaws requires attackers to trick victims into clicking on specially-crafted URLs, but persistent ones can be exploited directly into the existent pages.