Security Issues in Rediff Bol Messenger The widely used Indian Instant Messaging service "Rediff Bol(Ver. 2.0.2)" by www.rediff.com has a few security problems. The major one is that a malicious user can logout a user by "feeding" a specially ;)) constructed URL to him. 1.Malicious logging out of a user: Rediff Bol registers a URL protocol "Rbol:" with its main executable bol.exe as the handler. Therefore, when a URL starting with "rbol:" (without the quotes) is accessed, bol.exe is launched and the parameters are passed to it for further action. In this case, when the URL "rbol:login" is accessed (through a browser, for instance), the application misbehaves and logs out the user. Further, he will not be able to login again unless bol.exe is completely is terminated and restarted. I say "completely terminated" because sometimes, after exploitation, just pressing "exit" will not stop bol.exe completely until it is killed from the taskmanager. This is further exacerbated because the email service provided by www.rediff.com does not have *any* kind of malicious scripting check and therefore is prone to all kinds of XSS attacks. Consequently, if 'A' wants to chuck 'B' out of a 'Rediff Bol' session, he can send an HTML mail to B's Rediffmail account which, when opened, will redirect him to the "rbol:login" URL. This will logout 'B' out of 'Bol'. And, of course, the HTML mail will contain something like: <script> window.location="rbol:login" </script> Solution: Deleting/disabling the "Rbol:" protocol from the 'HKCR\rbol' registry key will solve the problem until the vendor provides a more graceful solution ;). According to my investigation, the "Rbol:" protocol is presently not used by Bol to provide any core service and therefore it can probably be safely disabled. 2. Unencrypted Transfer of Account/Authentication Information: When a user logs in to Rediff Bol, the account information (user name, password, etc) that is transferred to the server from the client is not encrypted in any way. Consequently, anyone sniffing along the route can gain access to this information. Solution: The user cannot do much to protect himself from this kind of sniffing. This has to be resolved by the vendor. Regards S.G.Masood __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com
