A spokesperson at MSN's Australian arm confirmed it had been aware of the vulnerability since a posting was made on Bugtraq, a security mailing list, on Tuesday yet is still looking for a solution.
“To the best of our knowledge no MSN users have been affected,” the spokesperson said.
According to the posting, MSN Messenger or Windows Messenger on XP could be used to obtain personal information about a user from any Web site, in any domain.
Richard Burton, who posted details of the vulnerability on Bugtraq, said that by using JavaScript anyone can obtain a user's Messenger display name, and the display names of their contacts.
“For users who have a sensible and accurate display name, this should be considered a privacy issue,” he said.
Burton also alleges that if users have not set a display name, the vulnerability will reveal their e-mail address.
In his posting, Burton recommended users set a display name so that their address isn't easily obtainable. He has also made suggestions to Microsoft about how it could fix the vulnerabilities.
MSN said it would be looking at a solution this week.
