Tencent QQ explosion large vulnerability a hacker can log on QQ mailbox, and other services-vulnerability warning-the black bar safety net

ID MYHACK58:62201443529
Type myhack58
Reporter 佚名
Modified 2014-03-25T00:00:00


Recently exposed by Tencent QQ, a very serious vulnerability, called Tencent QQ client there is a serious Safety defect-Tencent an interface is not a strict validation access source IP, resulting in ClientKEY Access Protection is bypassed, the hacker could just obtain the user's ClientKEY, you can access QQ mailbox, QQ space, QQ album, etc. all Tencent's business system. Simply put, if your QQ password is not stolen, then as long as the hackers can intercept your ClientKEY, you can freely access your QQ mailbox, QQ space and QQ album, and a series of software.

Exposure QQ new vulnerability How to defend QQ space QQ album, mailbox, etc. QQ the service is not Telnet? One, as long as the computer is not being hacked, that theoretically would not have to worry about this problem. Second, you may see this article when QQ has fixed this vulnerability, but also the possible vulnerabilities also exist...... Third, temporarily not at the computer log on QQ client......

QQ client turned out to be flawed...... This QQ vulnerability description Studied Tencent Client Security people know, the ClientKEY for the QQ of the overall business system, is a global access token, as long as access to the user's ClientKEY, you can access to all of Tencent's business system. Tencent Single Sign-On system for cross-domain hijacking vulnerability Tencent Single Sign-On system for cross-domain hijacking vulnerability 2 Once more white hat reported Tencent Single Sign-On system vulnerabilities, so Tencent adds a source IP validation to reduce client-side attacks brings threats. Tencent, the idea might be:“even if you can get me the KEY, not on a network, you are also affected less than me!”。