[9966] in bugtraq
abuse of nickserv
daemon@ATHENA.MIT.EDU (Nelson Little)
Thu Mar 25 20:46:52 1999
Date: Tue, 23 Mar 1999 22:13:29 -0800
Reply-To: Nelson Little <nel74@TIG.COM.AU>
From: Nelson Little <nel74@TIG.COM.AU>
To: BUGTRAQ@NETSPACE.ORG
Hi,
Many people that IRC on Dalnet have scripts which automatically identify
their nicknames via "/msg nickserv identify your_password" This works fine,
however,if you also IRC on Undernet you can run into a problem. Undernet
has no nickserv so if someone on Undenet decides to use the nick "nickserv"
they will be exposed to countless passwords from all the people that
automatically identify themselves. Once the evil user has these passwords
they can jump on Dalnet and steal that person's nick and change the
password. With a bit of brain power, and I won't go into how, they can also
abuse op in any channels that person has op access in.
Dalnet has been advised and starting on April 15th, you'll need to identify
to NickServ using /msg NickServ@services.dal.net IDENTIFY instead of just
using /msg NickServ IDENTIFY.
All the other IRC networks that I tested have a nickserv bot which halts
the abuse mentioned above.
Regards
Nelson
