AOL Instant Messenger Remote Hole

← Back to Stories (view on slashdot.org)

AOL Instant Messenger Remote Hole

Posted by michael on Wednesday January 2, 2002 @08:26AM from the makes-remote-administration-easier dept.

The DSL Guy writes: "The non-profit security team w00w00.org started off 2002 by uncovering a serious flaw in AOL's Instant Messenger protocol. With over 100 million people registered on the AIM service, this vulnerability poses a serious security risk for Internet users worldwide. This flaw can enable remote users to execute code on any machine logged into the AOL IM service. "So easy to hack, no wonder it's number one!" Details can be found at the w00w00 site."

4 of 343 comments (clear)

Min score:

Reason:

Sort:

Ouch... by Marx_Mrvelous · 2002-01-02 08:29 · Score: 1, Redundant

Hmm, does this vulnerability affect linux clones, too? Of course, no person in their right mind would run gaim as root....

But if you're running gaim...

--

Moderation: Put your hand inside the puppet head!
1. Re:Ouch... by madenosine · 2002-01-02 08:32 · Score: 3, Redundant
  
  From the website:
  
  "this does not affect the non-Windows versions"
Don't shoot the messenger, man by mblase · 2002-01-02 08:37 · Score: 2, Redundant

Slashdot just linked to the story; they didn't originate it. They would've had no way to report the information (at least not in Slashdot's usual manner) without pointing people to the actual discoverer of the problem, unless AOL has an article on it somewhere.

It is very irresponsible of the original writer to post an explicit method to exploit the crack, however. At least there's one redeeming feature: the article also tells readers how to protect themselves from the crack by altering their preferences, and also that AOL is fixing the problem server-side.

The crack was/is already out there, for people who enjoy using that sort of thing. Don't blame this site for pointing people to it just because Slashdot has a higher readership.
Re:Why not wait a day? by larsu · 2002-01-02 09:06 · Score: 1, Redundant

From the original text (and bugtraq post)

We contacted the AOL Instant Messenger group but never received a response. Normally we would be inclined to provide a fix, but it is illegal to reverse engineer the AIM executable (DMCA and AIM's license agreement to thank), so we are unable to provide a patch which will modify it. Instead, we recommend Robbie Saunder's AIM Filter (http://www.ssnbc.com/wiz/) to protect yourselves.

w00w00 found it, contacted AOL, waited, and released after AOL never said w00 about it.