Instant Messaging Vulnerabilities, Unathorized Instant Messaging and Protection Against Risks

To get a better understanding of the vulnerabilities that come with Instant Messaging (IM), we have to understand the basics first. How does an Instant Messaging program work? Does it have corporate IT support? Why or why not? How far does the problem spread?

Almost all of the IM programs use a client-server architecture. A user signs up to the IM system, receives/chooses a username and password combination. Then the user starts the IM client program, enters his credentials and the program connects to the server, verifies the user's identity and if successful, connects the user to the system and retrieves his preferences and his contact list. Some IM programs use a different approach: the user asks for a connection to another user and the server returns the requested user's IP address to the client program. Then both clients, the one who requested the connection and the other party whom he wants to be connected, know eachother and begin to send messages.

So far, the IM platform seems very easy and manageable. No, it's not and the platform on which the IM programs operate have two fundamental risks:

1. The communication between the client(s) and the server are not encrypted. This is the same as writing a letter and sending it without an envelope, allowing anybody who handles or intercepts its way to read it.
2. The clients are adding special features to distinguish themselves from the others. The most frightening feature is allowing scripting on the client systems by using Visual Basic, Java or any proprietary language.

If we look at the first vulnerability, it is no more than offering everything private to travel freely over the Internet. Whatever you write, whatever you send as a file can be seen, read, downloaded, logged and saved. The eavesdroppers work is easy: find an IP address, sit down and read whatever is on the screen. Then, the client programs are prone to account hijacking, leading to identity theft. The password protection is very limited and some IM clients store the username and passwords on a file on the disk, offering everything to the attackers in a golden plate. If you don't know how to steal those, a quick search will take you to many how-to sites that describe the process. If these are not enough, the IM programs have bugs/limitations that can be exploited by the attackers. This is not only for the IM programs, but for all the software installed on the computer (including the operating system).

If we look at the second vulnerability, it is not less frightening than the first one. You would not want a piece of malicious code working on your favorite IM program, which seems to change skins but God-knows what it is doing in the background.