Slashdot Mirror
AOL Still Working On AIM Security Hole
TeacherReviews.com writes: "According to this article at Newsbytes, AOL has been aware that users' screen names and credit cards can be stolen from not only AIM 4.3, but earlier versions of the instant messenger as well. This problem, which allegedly can happen to any AIM user, was first made public by Inside-AOL.com months ago, but AOL decided not to respond until this Thursday under increased pressure from Inside-AOL.com and other media." This is just the kind of news I could do without, having recently been persuaded to register with AIM and give GAIM a try.
This may be seen as O-T but, why do companies insist on prosecuting the "illegal entrant" who just plays around on the system, and does no damage other than, possibly, to a company's reputation? In fact, most of the hackers would just explore what they could do, and then send a post to people like Kevin Poulson, or Adrian Lamo describing a WEAKNESS that then allows the company to make a BETTER product? I think that companies that get cracked should prosecute FULLY and VIGOROUSLY, but companies that get hacked should say, "wow, that kinda sucks, thanks for letting us know and not being a thief!" Anyway, just a thought.
The reason everyone is talking about this hole allowing people to get credit cards is not because you can somehow find out the credit card number used to open an AOL account. In fact, if there is an AOL account with the same name as an AIM account, it won't work. People are talking about credit card fraud because with someone's AIM password and buddy list, it is a hell of a lot easier to do some social engineering, and that is exactly what some people are doing.
The way this hole works is by changing a couple variables during runtime in AOL while creating a new screen name. Apparently, there is a variable corresponding to the screen name you want to create, and also a variable that contains two characters which are later prepended to the first variable. The hole is that if you put the first two characters of the name you want to steal in the second variable, and the rest of the name in the first variable, AOLs server will only check the first variable against its user name database.
A much more detailed explanation here
If someone takes the password to your screenname then it doesn't matter HOW you connect to the service -- whether over AIM, Gaim, or Jabber -- the screenname's password has been compromised and you no longer have it.
---
Rob Flynn
---
Rob Flynn
Pidgin
YET, here we have AOL knowing about a problem for MONTHS and not fixing it?
If I remembrer correctly, Microsoft, Before They got out of the AIM Network to concentrate on their own IM Userbase, Mentioned that there was a huge security hole in AIM and AOL Blew it off as MS FUD. Maybe they knew about it all along and kept it a secret figuring that someone would find it eventually.
Personally, I use MSN Messanger. I used to use ICQ then AOL Got hold of it and turned it into the ultimate example of bloatware. How many people can remember when it was a 1.4 meg download? I think it's up to 6 Megs now, has all kind of stupid things like web servers and greeting cards that are almost never used, and they made the E-mail notification into a full featured POS E-mail program that never would read E-mail because it would always screw up the Downloading of headers. and I never used AIM for obvious reasons (It's From AOL)
The only IM Clients I would Even touch right now is Yahoo Messanger and MSN Messanger. and since MSN Messanger currently has exactly what ICQ had before it became a bloat monster, Thats the one I Use
--
In Soviet Russia, Trojan exploits YOU!
How about, "It's their own network, so let them do whatever they want with it"? AIM's protocol was never fully open; the "Open your protocol back up" is just typical open-source drivel. They have an acessible protocol, TOC, which is implemented in their Java-applet clients and most open-source clients. Their binary protocol, OSCAR, is their own property. Some hacked implementations exist for other platforms, but they're not quite perfect.
AIM is not life-or-death. The only thing they put at risk here is their Good Name (cough). You don't like it? Start your own IM network, and make it "standards-compliant." I'll be too busy chatting with all of my AIM and ICQ buddies to care.
For more information, click here.
The AIM 4.x license agreement states, in effect, `By installing this software, you agree to the terms. ... You may not use client software not approved by AOL Inc. on AOL's AIM servers.' This is why I use AIM 2.1 (the fastest Win32 AIM client that AOL ever made) on my Windows 98 partition, alongside Everybuddy. I know there's Jabber, but I found its AIM gateway to be a bit unreliable.
Will I retire or break 10K?
Actually, ICQ is even better than AIM in these regards. I don't know about the newer version because I hadn't upgraded, but the older ones do not show you ads at all. That goes to another point, that you don't have to upgrade the client all the time. I am running ICQ99b right now and will not upgrade. I tried the 2000 version and I didn't like it, so I went back to the old one. Another advantage is that it doesn't pop up windows while you are working. I hate when I am typing something and then someone sends a message on AIM (I am forced to use it at work) and I end up sending them a message of some code or something. Also, the ICQ protocol is not kept as secret as AIM. There are plenty of clones out there, and I believe ICQ does have a unix version that they made, as well as a palmOS version, mac, and CE in addition to the rest. Also for AIM, there is a java applet that is not too big and you can run to connect to the AIM service. I use it at work on my Sparcstation and have no problems with performance or any lack of features.
Mas vale cholo, que mal acompañado.
AOL members, by default, have the same AOL usernames and AIM screennames. By stealing the AIM account of an AOL subscriber, you will be able to change the password and gain access to all other AOL features by using the same screenname/password as that user's AIM screenname/password.
-atrowe: Card-carrying Mensa member. I have no toleranse for stupidity.
ICQ is a decent product in my opinion, and the opinions of many. Just because it is owned by AOL doesn't mean it is a horrible product. I am pretty sure you are using either Netscape or Internet Explorer. Both of these companies are hated and bashed a lot for their problems and the way they do business. However, that doesn't mean that they don't do something right once in a while.
Well, that is their choice, however, for the year or two that they've owned ICQ, I've never had to stop using the older versions. At this point I have no need to "upgrade" to AIM 4.3 so this doesn't really affect us yet. If they do merge the two and force everyone to upgrade, I see the potential for people finding something else similar to ICQ because it has a lot better features than AIM. In fact, it could be possible for a rogue ICQ network running ICQ groupware servers. I've done that before, and even though that only runs on NT, I believe there is a unix or linux clone that someone made.
Furthermore, ICQ's security is pathetic. Messages are sent person-to-person directly, opening up unnecessary ports on your system. Your password is sent in plaintext (as opposed to AIM's brilliant method of XOR'ing it with "TicToc") so anyone with a sniffer could find it.
Excluding the peer-to-peer part, the exact same could be said for pop/sendmail based email systems. However, we all know how widely used it is. Email, and to a greater extent instant messaging, should not be your main form of communication. I use ICQ to keep in touch with friends and family, not to send credit card orders or discuss top secret plans. I don't want people to read my instant messages, but if they do it will not actually hurt me. It is basically just a toy, like talking on walkie talkies or sending a postcard. If you want some form of encryption, you can encode your messages with pgp quite easily, and I believe there may be an ICQ plugin for doing that as well. Also, as far as security, you mentioned another thing...that the messages from ICQ are peer to peer and do not go through the server. That is one advantage over AIM. If my messages go directly to the person I want to send them to, how can AOL log them?
Mas vale cholo, que mal acompañado.
No. Is it so hard to read the damn article first?
For more information, click here.
Here is a detailed explanation of SecurityFocus
The slashdot blurb says this could lead to credit card numbers being stolen. The articles linked to did not mention this. Furthermore, since registering for an AIM name does not involve giving a credit card number, I fail to see how this is even plausible. Is slashdot just making up news or is there a factual basis behind this allegation?
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
Maybe not. You can have different AIM and AOL passwords. Most people will probably pick the same password, but in theory there's no reason why this is necessarily the case.
"The question of whether a computer can think is no more interesting than that of whether a submarine can swim" -EWD
Just so you know, I, and several other people, have had lots of problems with GAIM. It crashes a lot basically. I don't really know quite where the issue is, but thankfully there's plenty of good UNIXen AIM clients out there. I myself use Tik (an emacs-lisp version :-) for those times when I need to get on, which is not too much...
But just so you know, if you run into problems, try something else.
-----
AOL's argument against other companies 'connecting' or in their words 'breaking into' their database (of users) has always been "Security".
They never elaborate, nor specify exactly what criteria have to be met, so others can meet it and get use of their network.
The FTC was considering possibly forcing them to open up instant messaging, but seemed to back down when AOL said they refused due to security of their customers.
YET, here we have AOL knowing about a problem for MONTHS and not fixing it?
Smells like time for a few senators and congressmen to say a few words to AOL about "equal standards".
Open your protocol back up, AOL.
GPL'd web-based tradewars themed space game
--------------------------------------
If Murphy's Law can go wrong, it will.
(Note: I'm not trying to imply that it's ok for there to be such a huge security hole by posting these instructions to slashdot. I just want to point out that it's possible to protect your account without going through too much trouble.)
Moderators: I'm above the karma cap, but I'm still a karma whore, so do whatever you want to this post.
--
The shareholder is always right.
For more information, click here.
Jay Satiro, 19, pleaded guilty Tuesday in Westchester County Court to first-degree computer tampering. He faces up to 15 years in prison.
The average prison time served after conviction for homicide, willful murder, is 5 years, 11 months.
First degree computer tampering? A 19 year old with obvious talent belongs in federal prison. You bet.
The greatest crime you can commit in America is first degree curiousity.
--
What happens when you outlaw guns
I've seen this happen at companies that I've worked for over and over and over again. You make a client, and a server, talking to each other over a proprietary protocol, and you forget that the client is inherently untrusted. Security through obscurity breeds in these proprietary environments. I've had heated arguments with programmers who insisted that the server was secure because the client was unable to perform certain actions. I've had managers ask me to prove that these problems were security holes by exploiting them, but without modifying the client source code because "the public doesn't have the client source code, so if you need the source code, it can't be exploited". The fact is, if you have any plans of being as big as AOL, your protocol will be reverse engineered, alternate clients will be created, and your security holes will be found.
ok then your [sic] infringing on my copyright! Could you as [sic] me next time before STEALING my comments for your own?
Well, spammers have found interesting ways to try to get these completed user lists. A standard spammer trick is take any address they get at all, and make variants of it for the big ISPs. After all, if there's a barbsmith@someisp.net, there's probably a barbsmith@aol.com. Given the negligable cost of sending spam, it doesn't matter if it only hits one in ten times.
AT&T gets something in the neighborhood of a million or two bounces from this type of spam, per day.
--
"Don't trolls get tired?"
Both harvesting screen names and sending unsolicited communications is against their terms.
--
Well, not all e-mail addresses (most, I'm betting) are AOL screen names.
Also, the trick is finding "active" screen names. The ones coming in and out of chat rooms are the best cases for that, afaik. Ones that have big buddy lists probably are too.
There'd have to be a way to automate the process of "hacking" an account, getting the buddy list, and then doing the same on all of those, rinse, repeat.
I think you need to use that AOL tool though, so it's probably an impossibility to automate such a process.
--
".... Earlier this year, a hacker discovered that he had gained access to AOL's internal network. He contacted them and told them about it, then helped them fix it. After it was fixed, AOL turned around and had him prosecuted."
if you bite the hand that helps you... will it reach again?
Ah yes, the typical "AIM sucks, use ICQ" response to an article like this. Of course, by now you must know that ICQ is owned by none other than AOL, and that the company is planning on merging the services. (Don't believe me? Download AIM 4.3, and log in using your UIN and password.)
Furthermore, ICQ's security is pathetic. Messages are sent person-to-person directly, opening up unnecessary ports on your system. Your password is sent in plaintext (as opposed to AIM's brilliant method of XOR'ing it with "TicToc") so anyone with a sniffer could find it.
ICQ and AIM are supported in Everybuddy for Linux. Good app, with no ad banners or ugly "skins" or "wings" like Odigo.
For more information, click here.
A while back I was playing with the idea of getting lists of AIM user screen names to use for sending random stuff to at my will. The only way that I knew of to get screen names of AIM users was to either do a search in the directory or look in chat rooms. I also tried generating them, but that didn't work well.
.. it was freaky :)
:)
Of course, the system had to be automated, so I decided to go the route of chat rooms. I wrote a AIM TOC client in Java (and some bot stuff too, but that's another story), hooked it up to some scripts, and before I knew it I had a list of like 500k or so screen names (acquired over a period of like 2 weeks of sitting and harvesting)
It was fully automated, grabbing the latest open chat rooms from the web at AOL's site and parsing them out via perl script. It was pretty scary, actually. Once or twice I IM'ed a few random ones just to see if I really was getting screen names of real people, and sure enough they were always like "Who the hell is this?"
I did some more research and realized that was I was doing was against AOLs terms of use, so before it got out of control, I stopped. The names I had gotten, anyway, were just stupid AOL people who were usually less than 14 years old and probably asked "a/s/l" several times an hour.
This little hole though makes me wonder if there's a way to get a list of ALL the screen names.. the college kids, the working adults, not just the AOL geeks who use the "AIM chat rooms".
You shouldn't do it because of the legal implications, but I'm betting someone would pay a hefty sum for a list of several million active screen names for IMing advertisements to. I had a whole plan of this myself, but of course that's WAY against their terms of use.
Or you could just OSS the whole list
--
"// this is the most hacked, evil, bastardized thing I've ever seen. kjb"
are you from britain or something? "first reply"?
Anyone who already has AOL is too damn stupid to figure out how to steal an account and everyone else wouldn't want an AOL account, even if it is free.
-atrowe: Card-carrying Mensa member. I have no toleranse for stupidity.
Once an AOL account exists under an AIM screen name it cannot be hijacked again--although a separate loophole allows hackers to create AOL accounts that automatically disappear from the system shortly after creation.
Users of AOL's subscription service are not vulnerable. Because of the nature of the bug, AIM users with screen names that, minus the first two letters, are already taken are also immune: i.e., if Hn Doe has an AIM account, then John Doe's is safe.
Makes me glad I already have an AOL account as a backup dialup...
Jabber is a Free instant messaging system with a Free server and several Free clients. No AOL needed; however, there are gateways to Yahoo!, MSN, AIM, and ICQ if you have an account on those services.
Will I retire or break 10K?