Skip to content

Kévin Dunglas

Founder of Les-Tilleuls.coop (worker-owned cooperative). Creator of API Platform, FrankenPHP, Mercure.rocks, Vulcain.rocks and of some Symfony components.

Menu
  • Talks
  • Resume
  • Sponsor me
  • Contact
Menu

MessengerFX’s security problem corrected

Posted on October 6, 2008 by Kévin Dunglas

Some times ago I found a Cross Site Scripting vulnerability in MessengerFX, a popular web-based Windows Live Messenger client. Friday I received from the team saying that the problem is now corrected:

Hi Kevin,
First of all i want to thank you for your warn. We fixed that problem and
now its working correctly.

[…]
If you find any other problem please let me know. Thanks again.

It was serious : Every software’s feature is available through Javascript. Any contact of a MessengerFX user can crash his browser, and futhermore get its contact list, add, remove, ban and unban contacts, read and send messages to any other contact of the victim ! Basically, an attacker just need to be listed in the contacts list of an MessengerFX user and this attacker can take control over the account.

In fact, all Javascript code is now removed server-side, so it’s impossible to send some snippets to a friend and the code is still executed locally (in the browser of the sender). The team explain that a new version of their app will be released soon and will better handle things like this.

Related posts:

  1. MessengerFX allows your contacts to take control over your WLM
  2. La faille de sécurité touchant MessengerFX semble corrigée
  3. Vulnérabilité critique dans MessengerFX
  4. NPM dependency hell: comparison with Symfony, Laravel and API Platform

2 thoughts on “MessengerFX’s security problem corrected”

  1. Pingback: MessengerFX allows your contacts to take control over your WLM - Un développeur freelance à Lille
  2. messengerfx says:
    November 30, 2008 at 9:35 am

    thank you

    Reply

Leave a ReplyCancel reply

Social

  • Bluesky
  • GitHub
  • LinkedIn
  • Mastodon
  • X
  • YouTube

Links

  • API Platform
  • FrankenPHP
  • Les-Tilleuls.coop
  • Mercure.rocks
  • Vulcain.rocks

Subscribe to this blog

Top Posts & Pages

  • FrankenPHP: The Modern Php App Server, written in Go
  • The Best of Both Worlds: Go-Powered gRPC for Your PHP and API Platform Apps
  • Develop Faster With FrankenPHP
  • Symfony's New Native Docker Support (Symfony World)
  • Running Laravel Apps With FrankenPHP (Laracon EU)
  • Securely Access Private Git Repositories and Composer Packages in Docker Builds
  • Unleash the Monster: The FrankenPHP elePHPant is Born
  • FrankenPHP 1.3: Massive Performance Improvements, Watcher Mode, Dedicated Prometheus Metrics, and More
  • New in Caddy 2.5: Redact Sensitive Data from Your Logs
  • How to debug Xdebug... or any other weird bug in PHP

Tags

Apache API API Platform Buzz Caddy Docker Doctrine FrankenPHP Go Google GraphQL HTTP/2 Hydra hypermedia Hébergement Javascript JSON-LD Kubernetes La Coopérative des Tilleuls Les-Tilleuls.coop Lille Linux Mac Mercure Mercure.rocks Messagerie Instantanée MySQL performance PHP Punk Rock Python React REST Rock'n'Roll Schema.org Security SEO SEO Symfony Symfony Live Sécurité Ubuntu Web 2.0 webperf XML

Archives

Categories

  • DevOps (85)
    • Ubuntu (68)
  • Go (20)
  • JavaScript (46)
  • Mercure (7)
  • Opinions (91)
  • PHP (175)
    • API Platform (79)
    • FrankenPHP (14)
    • Laravel (1)
    • Symfony (97)
    • Wordpress (6)
  • Python (14)
  • Security (15)
  • SEO (25)
  • Talks (46)
© 2025 Kévin Dunglas | Powered by Minimalist Blog WordPress Theme