Slashdot Mirror
AOL Still Working On AIM Security Hole
TeacherReviews.com writes: "According to this article at Newsbytes, AOL has been aware that users' screen names and credit cards can be stolen from not only AIM 4.3, but earlier versions of the instant messenger as well. This problem, which allegedly can happen to any AIM user, was first made public by Inside-AOL.com months ago, but AOL decided not to respond until this Thursday under increased pressure from Inside-AOL.com and other media." This is just the kind of news I could do without, having recently been persuaded to register with AIM and give GAIM a try.
This may be seen as O-T but, why do companies insist on prosecuting the "illegal entrant" who just plays around on the system, and does no damage other than, possibly, to a company's reputation? In fact, most of the hackers would just explore what they could do, and then send a post to people like Kevin Poulson, or Adrian Lamo describing a WEAKNESS that then allows the company to make a BETTER product? I think that companies that get cracked should prosecute FULLY and VIGOROUSLY, but companies that get hacked should say, "wow, that kinda sucks, thanks for letting us know and not being a thief!" Anyway, just a thought.
The reason everyone is talking about this hole allowing people to get credit cards is not because you can somehow find out the credit card number used to open an AOL account. In fact, if there is an AOL account with the same name as an AIM account, it won't work. People are talking about credit card fraud because with someone's AIM password and buddy list, it is a hell of a lot easier to do some social engineering, and that is exactly what some people are doing.
The way this hole works is by changing a couple variables during runtime in AOL while creating a new screen name. Apparently, there is a variable corresponding to the screen name you want to create, and also a variable that contains two characters which are later prepended to the first variable. The hole is that if you put the first two characters of the name you want to steal in the second variable, and the rest of the name in the first variable, AOLs server will only check the first variable against its user name database.
A much more detailed explanation here
AOL members, by default, have the same AOL usernames and AIM screennames. By stealing the AIM account of an AOL subscriber, you will be able to change the password and gain access to all other AOL features by using the same screenname/password as that user's AIM screenname/password.
-atrowe: Card-carrying Mensa member. I have no toleranse for stupidity.
No. Is it so hard to read the damn article first?
For more information, click here.
The slashdot blurb says this could lead to credit card numbers being stolen. The articles linked to did not mention this. Furthermore, since registering for an AIM name does not involve giving a credit card number, I fail to see how this is even plausible. Is slashdot just making up news or is there a factual basis behind this allegation?
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
Jay Satiro, 19, pleaded guilty Tuesday in Westchester County Court to first-degree computer tampering. He faces up to 15 years in prison.
The average prison time served after conviction for homicide, willful murder, is 5 years, 11 months.
First degree computer tampering? A 19 year old with obvious talent belongs in federal prison. You bet.
The greatest crime you can commit in America is first degree curiousity.
--
What happens when you outlaw guns
".... Earlier this year, a hacker discovered that he had gained access to AOL's internal network. He contacted them and told them about it, then helped them fix it. After it was fixed, AOL turned around and had him prosecuted."
if you bite the hand that helps you... will it reach again?
A while back I was playing with the idea of getting lists of AIM user screen names to use for sending random stuff to at my will. The only way that I knew of to get screen names of AIM users was to either do a search in the directory or look in chat rooms. I also tried generating them, but that didn't work well.
.. it was freaky :)
:)
Of course, the system had to be automated, so I decided to go the route of chat rooms. I wrote a AIM TOC client in Java (and some bot stuff too, but that's another story), hooked it up to some scripts, and before I knew it I had a list of like 500k or so screen names (acquired over a period of like 2 weeks of sitting and harvesting)
It was fully automated, grabbing the latest open chat rooms from the web at AOL's site and parsing them out via perl script. It was pretty scary, actually. Once or twice I IM'ed a few random ones just to see if I really was getting screen names of real people, and sure enough they were always like "Who the hell is this?"
I did some more research and realized that was I was doing was against AOLs terms of use, so before it got out of control, I stopped. The names I had gotten, anyway, were just stupid AOL people who were usually less than 14 years old and probably asked "a/s/l" several times an hour.
This little hole though makes me wonder if there's a way to get a list of ALL the screen names.. the college kids, the working adults, not just the AOL geeks who use the "AIM chat rooms".
You shouldn't do it because of the legal implications, but I'm betting someone would pay a hefty sum for a list of several million active screen names for IMing advertisements to. I had a whole plan of this myself, but of course that's WAY against their terms of use.
Or you could just OSS the whole list
--
"// this is the most hacked, evil, bastardized thing I've ever seen. kjb"