Slashdot Mirror

← Back to Stories (view on slashdot.org)

AOL Instant Messenger Remote Hole

Posted by michael on from the makes-remote-administration-easier dept.

The DSL Guy writes: "The non-profit security team w00w00.org started off 2002 by uncovering a serious flaw in AOL's Instant Messenger protocol. With over 100 million people registered on the AIM service, this vulnerability poses a serious security risk for Internet users worldwide. This flaw can enable remote users to execute code on any machine logged into the AOL IM service. "So easy to hack, no wonder it's number one!" Details can be found at the w00w00 site."

4 of 343 comments (clear)

  1. Re:Why not wait a day? by Monte · · Score: 5, Insightful

    Given that the message states AOL will do a server side fix in a day, why not wait ONE DAY before releasing the exploit details.

    Perhaps the former was a result of the latter? There's a concept called "lighting a fire under their ass".

  2. Re:Why not wait a day? by ez76 · · Score: 5, Insightful
    Perhaps the former was a result of the latter? There's a concept called "lighting a fire under their ass".
    Can someone please explain to me the moral or ethical mandate that supports/justifies this sort of vigilante thinking? Consider the following off-line scenarios, which to me seem equivalent (someone correct my thinking):
    • A test mode is discovered in a popular residential/commercial building security system whereby anyone can enter such a building by punching in a certain 23-digit code into the alarm keypad. w00w00 drives around town and posts a picture of the affected keypads and the first 21 digits of the code.
    • Certain model year GM vehicles' security systems can be foiled by holding down multiple chiclet keys at once and inserting a metal object into the driver's side door keyhole. w00w00 cruises local mall parking lots, opening the doors of random vehicles, putting a bulletin about the problem on the driver's seat, closing the door, and fleeing.
    • A template and generating function for test AT&T calling card numbers is discovered that permits anyone with the two to make free calls. w00w00 publishes the information.


    All of these actions could have theoretically been done in the name of improving security but in the short-term all they do is recklessly endanger it.

    These actions wouldn't fly in the real world without legal repercussions. And how can you claim that they are done in the interest of the public when so much anonymous public damage could result in the short-term? Is there anyone out there who really believes this isn't being done to take a stab at big corporations for big corporations' sake, by individuals who thrive in the gray area of the law?

    There is at least one long-term upside to w00w00's actions, though. Their actions will hasten the approval of legislation which makes online reckless endangerment as criminal on the Internet as it is in your neighborhood.
  3. Re:Why not wait a day? by GTRacer · · Score: 5, Insightful
    Actually, I don't hate Microsoft products, just their practices and abhorrent licensing shenanigans. In fact, I use WinNT, Outlook, IE 5.5 and the rest of the Office 97 suite alongside Gimp, Apache, Perl, NMap, and WGet.

    I am not an OSS zealot although I do dual-boot Mandrake.

    I hate AOL because of their incredibly asinine advertising! "Everyone I know is on my Buddy List!" Maybe it's time for more friends! I used AOL 3, 4 and 5 at work and at home and despised the branding tricks and limitations on the Internet experience.

    I also loathe the way it seems (my perception - may not reflect reality) they feel their users need a prepackaged community because they're simpletons who don't need a better, deeper Internet experience. Kinda reminds me of various SF dystopias where the general populace is kept just smart enough to be useful but not enough to be critical thinkers and therefore dangerous to the status quo.

    GTRacer
    - Equal-opportunity company basher!

    --
    Defending IP by destroying access to it? That makes sense, RIAA/MPAA. Go to the corner until you can play nice!
  4. Re:Why not wait a day? by YaRness · · Score: 5, Insightful

    it's different because you can't download a new keypad for your security system or car, but you can easily download and apply a patch for a program. it's a matter of distribution.

    additionally, in your analogy, for each poster up on the telephone pole, they would have included a box full of replacement keypads (or whatever) to fix the problem; w00w00 did list a place to download a proxy that will serve as a temporary fix. it's allowing people to be able to make the decision to protect themselves, instead of being subject to the whims of Big Bad Corporation X's product life cycle.

    just the old regulated security VS. freedom debate.