Thanks to neo1980 on the forums for the heads up on this one :)
I thought I"d post this here to alert all you Neowinians out there:
A nifty feature in MSN and Windows Messenger which apparently was intended to identify IE users (without their knowledge or consent) on Microsoft Web sites can easily be abused by any Webmaster with a bit of Javascript or VBscript, a clever empiricist has discovered.
The feature allows anyone to obtain a surfer"s Messenger username and those of his contacts, according to Richard Burton in a post Monday to the BugTraq mailing list.
Worse, if a username is not available, the e-mail address of the surfer and those of his contacts are displayed instead.
Only Microsoft.com, Hotmail.com and Hotmail.msn.com should be able to access the e-mail address of the surfer and his contacts -- which of course is bad enough. However, a piece of software could easily make a registry entry during installation which would allow an associated Web site to obtain full details from Messenger.
Using the registry key
HKEY_LOCAL_MACHINESOFTWAREMicrosoftMessengerServicePoliciesSuffixes
a semi-malicious program could easily enable Web access by adding domain suffixes. According to Burton, the suffix can be as little as .org or .com, which would enable any Web site with that suffix to access your details.
By default, there are no suffixes listed in the registry, Burton says, but the Microsoft domains are hard-coded into Messenger, presumably to enhance the company"s renowned devotion to customer service, or to accommodate the advertising industry in some backchannel manner.
EDIT: I do realise that the vast majority of Neowin"s users are experts / power users so this may not exactly be front page news. However, for others I thought I"d post this story may be a little helpful in understanding what their "puter is doing. Laters, Cheeky.