Pidgin and Windows Live Messenger

Ethan Blanton elb at
Tue Mar 25 08:47:13 EDT 2014

Lord Flame Stryke spake unto us the following wisdom:
> I have found a definite security flaw with Windows Live Messenger when
> using Pidgin.  I have already sent an email to Microsoft to inform
> them of this.

Microsoft is the correct point of contact for this, we can't do
anything about it.  They won't do anything about it, as this service
is being terminated within the next couple of months.

> In Pidgin, when disallowing multiple logins, Pidgin becomes the sole
> location that can be logged in.  When attempting to operate remotely,
> I could not log in on any other device, so I could not disconnect
> Pidgin.  In an attempt to log out of Pidgin, I logged in to the
> Windows Live site and changed my password, however Pidgin did not log
> out and, in fact, is currently sitting open on my desktop logged in
> without my having changed the password within Pidgin.
> My concern is that, should someone gain access to my account, or to
> any other user's account, they would be able to disallow multiple
> logins and essentially hijack the account.  I believe this presents a
> serious security flaw.

For the record, this depends entirely on context.  It could be a
security flaow, or it could be a security measure.  While it prevents
you from booting a Pidgin that you want to boot, it would also prevent
an attacker from booting a legitimate instance.  Either way, we can't
change the server behavior.


More information about the security mailing list