Slashdot Mirror
AOL Still Working On AIM Security Hole
TeacherReviews.com writes: "According to this article at Newsbytes, AOL has been aware that users' screen names and credit cards can be stolen from not only AIM 4.3, but earlier versions of the instant messenger as well. This problem, which allegedly can happen to any AIM user, was first made public by Inside-AOL.com months ago, but AOL decided not to respond until this Thursday under increased pressure from Inside-AOL.com and other media." This is just the kind of news I could do without, having recently been persuaded to register with AIM and give GAIM a try.
This may be seen as O-T but, why do companies insist on prosecuting the "illegal entrant" who just plays around on the system, and does no damage other than, possibly, to a company's reputation? In fact, most of the hackers would just explore what they could do, and then send a post to people like Kevin Poulson, or Adrian Lamo describing a WEAKNESS that then allows the company to make a BETTER product? I think that companies that get cracked should prosecute FULLY and VIGOROUSLY, but companies that get hacked should say, "wow, that kinda sucks, thanks for letting us know and not being a thief!" Anyway, just a thought.
The reason everyone is talking about this hole allowing people to get credit cards is not because you can somehow find out the credit card number used to open an AOL account. In fact, if there is an AOL account with the same name as an AIM account, it won't work. People are talking about credit card fraud because with someone's AIM password and buddy list, it is a hell of a lot easier to do some social engineering, and that is exactly what some people are doing.
The way this hole works is by changing a couple variables during runtime in AOL while creating a new screen name. Apparently, there is a variable corresponding to the screen name you want to create, and also a variable that contains two characters which are later prepended to the first variable. The hole is that if you put the first two characters of the name you want to steal in the second variable, and the rest of the name in the first variable, AOLs server will only check the first variable against its user name database.
A much more detailed explanation here
The AIM 4.x license agreement states, in effect, `By installing this software, you agree to the terms. ... You may not use client software not approved by AOL Inc. on AOL's AIM servers.' This is why I use AIM 2.1 (the fastest Win32 AIM client that AOL ever made) on my Windows 98 partition, alongside Everybuddy. I know there's Jabber, but I found its AIM gateway to be a bit unreliable.
Will I retire or break 10K?
AOL members, by default, have the same AOL usernames and AIM screennames. By stealing the AIM account of an AOL subscriber, you will be able to change the password and gain access to all other AOL features by using the same screenname/password as that user's AIM screenname/password.
-atrowe: Card-carrying Mensa member. I have no toleranse for stupidity.
No. Is it so hard to read the damn article first?
For more information, click here.
Here is a detailed explanation of SecurityFocus
The slashdot blurb says this could lead to credit card numbers being stolen. The articles linked to did not mention this. Furthermore, since registering for an AIM name does not involve giving a credit card number, I fail to see how this is even plausible. Is slashdot just making up news or is there a factual basis behind this allegation?
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
AOL's argument against other companies 'connecting' or in their words 'breaking into' their database (of users) has always been "Security".
They never elaborate, nor specify exactly what criteria have to be met, so others can meet it and get use of their network.
The FTC was considering possibly forcing them to open up instant messaging, but seemed to back down when AOL said they refused due to security of their customers.
YET, here we have AOL knowing about a problem for MONTHS and not fixing it?
Smells like time for a few senators and congressmen to say a few words to AOL about "equal standards".
Open your protocol back up, AOL.
GPL'd web-based tradewars themed space game
(Note: I'm not trying to imply that it's ok for there to be such a huge security hole by posting these instructions to slashdot. I just want to point out that it's possible to protect your account without going through too much trouble.)
Moderators: I'm above the karma cap, but I'm still a karma whore, so do whatever you want to this post.
--
The shareholder is always right.
Jay Satiro, 19, pleaded guilty Tuesday in Westchester County Court to first-degree computer tampering. He faces up to 15 years in prison.
The average prison time served after conviction for homicide, willful murder, is 5 years, 11 months.
First degree computer tampering? A 19 year old with obvious talent belongs in federal prison. You bet.
The greatest crime you can commit in America is first degree curiousity.
--
What happens when you outlaw guns
I've seen this happen at companies that I've worked for over and over and over again. You make a client, and a server, talking to each other over a proprietary protocol, and you forget that the client is inherently untrusted. Security through obscurity breeds in these proprietary environments. I've had heated arguments with programmers who insisted that the server was secure because the client was unable to perform certain actions. I've had managers ask me to prove that these problems were security holes by exploiting them, but without modifying the client source code because "the public doesn't have the client source code, so if you need the source code, it can't be exploited". The fact is, if you have any plans of being as big as AOL, your protocol will be reverse engineered, alternate clients will be created, and your security holes will be found.
ok then your [sic] infringing on my copyright! Could you as [sic] me next time before STEALING my comments for your own?
".... Earlier this year, a hacker discovered that he had gained access to AOL's internal network. He contacted them and told them about it, then helped them fix it. After it was fixed, AOL turned around and had him prosecuted."
if you bite the hand that helps you... will it reach again?
Ah yes, the typical "AIM sucks, use ICQ" response to an article like this. Of course, by now you must know that ICQ is owned by none other than AOL, and that the company is planning on merging the services. (Don't believe me? Download AIM 4.3, and log in using your UIN and password.)
Furthermore, ICQ's security is pathetic. Messages are sent person-to-person directly, opening up unnecessary ports on your system. Your password is sent in plaintext (as opposed to AIM's brilliant method of XOR'ing it with "TicToc") so anyone with a sniffer could find it.
ICQ and AIM are supported in Everybuddy for Linux. Good app, with no ad banners or ugly "skins" or "wings" like Odigo.
For more information, click here.
A while back I was playing with the idea of getting lists of AIM user screen names to use for sending random stuff to at my will. The only way that I knew of to get screen names of AIM users was to either do a search in the directory or look in chat rooms. I also tried generating them, but that didn't work well.
.. it was freaky :)
:)
Of course, the system had to be automated, so I decided to go the route of chat rooms. I wrote a AIM TOC client in Java (and some bot stuff too, but that's another story), hooked it up to some scripts, and before I knew it I had a list of like 500k or so screen names (acquired over a period of like 2 weeks of sitting and harvesting)
It was fully automated, grabbing the latest open chat rooms from the web at AOL's site and parsing them out via perl script. It was pretty scary, actually. Once or twice I IM'ed a few random ones just to see if I really was getting screen names of real people, and sure enough they were always like "Who the hell is this?"
I did some more research and realized that was I was doing was against AOLs terms of use, so before it got out of control, I stopped. The names I had gotten, anyway, were just stupid AOL people who were usually less than 14 years old and probably asked "a/s/l" several times an hour.
This little hole though makes me wonder if there's a way to get a list of ALL the screen names.. the college kids, the working adults, not just the AOL geeks who use the "AIM chat rooms".
You shouldn't do it because of the legal implications, but I'm betting someone would pay a hefty sum for a list of several million active screen names for IMing advertisements to. I had a whole plan of this myself, but of course that's WAY against their terms of use.
Or you could just OSS the whole list
--
"// this is the most hacked, evil, bastardized thing I've ever seen. kjb"
Once an AOL account exists under an AIM screen name it cannot be hijacked again--although a separate loophole allows hackers to create AOL accounts that automatically disappear from the system shortly after creation.
Users of AOL's subscription service are not vulnerable. Because of the nature of the bug, AIM users with screen names that, minus the first two letters, are already taken are also immune: i.e., if Hn Doe has an AIM account, then John Doe's is safe.
Makes me glad I already have an AOL account as a backup dialup...