Slashdot Mirror

← Back to Stories (view on slashdot.org)

AOL Security Compromised by Teenager

Posted by Zonk on from the off-the-shelf-hacking-oh-great dept.

Freaky_Friday wrote with a link to an InfoWorld article about a teenage kid accessing customer information at AOL. The alleged criminal trespass began late last year, and extended up through early April. According to the article, the guy used some 'off-the-shelf' hacking software he downloaded online to gain access to, and then transmit information from, AOL's systems. "The complaint states that Nieves admitted to investigators that he committed the alleged acts because AOL took away his accounts. 'I accessed their internal accounts and their network and used it to try to get my accounts back,' the defendant is quoted as saying in the complaint. He also admitted to posting photos of his exploits in a photo Web site, according to the complaint ... If the defendant was honest about his motivation in his reported confession, it's safe to assume that he wasn't interested in stealing data for financial gain, [Managing director of technology at FTI Consulting Mark] Rasch said. Still, it'll be interesting to find out what steps AOL is taking if customer data was in fact compromised, he said."

5 of 99 comments (clear)

  1. Hmmm by NightWulf · · Score: 5, Funny

    Kid must be pretty smart if he was able to hack AOL's servers. *Reads article* Ohhhhh to get his account back...hmm forget it.

    1. Re:Hmmm by Anonymous Coward · · Score: 5, Informative

      Well there have always been tools out there to hack AOL, some of the more notorious were AOHell and WAAS (We are all sinners), LOFT even had a whole series of tools for AOL. Most of them just contained a lot of script kiddy stuff but there were some others that gave you shell access to the network about 10 years ago or so AOL was really like a pretty face over a custom IRC type network. If you could drop down out of the pretty face and get to the raw shell which was only really only protected by the fact that the pretty face was there and most AOL users were too dumb to realize that there was something going on under the AOL screen. You could peek around, but then once you got yourself an overhead account you really could run through the system at will. While I imagine it has improved over the years I am guessing a lot of the base code and concepts of the network are there still.

  2. I remember... by firpecmox · · Score: 5, Funny

    I tried to hack someone once but that damn 127.0.0.1 was behind a firewall and it just messed up my computers

  3. Suuurrree by FalleStar · · Score: 5, Insightful

    Among his alleged exploits:
    * Accessing systems containing customer billing records, addresses, and credit card information
    * Infecting machines at an AOL customer support call center in New Delhi, India, with a program to funnel information back to his PC
    * Logging in without permission into 49 AIM instant message accounts of AOL customer support employees
    * Attempting to break into an AOL customer support system containing sensitive customer information
    * Engaging in a phishing attack against AOL staffers through which he gained access to more than 60 accounts from AOL employees and subcontractors
    Yeah, sounds like he was JUST trying to get his account back alright.
  4. Same old same old by ShaunC · · Score: 5, Interesting

    From the perspective of someone who was in that scene more than a decade ago, it's enlightening to see how much of this is still going on. I don't see where in the article it says he used "'off-the-shelf' hacking software," but I guess these days it doesn't take much talent.

    I remember when the phishing trend started. AOL's biggest mistake at that point was creating a special People Connection lobby that overhead/internal accounts would default to. Initially, it was just a private room whose name changed occasionally (who else remembers THEBLIMPSAIDITALL, and numerous incarnations of IllIlIIlIIlllIlIIlI...?). Anyone who knew the name could get into the room with any regular account, and phish privileged accounts to their heart's content. Eventually AOL made some progress and created a viewruled lobby, which they assumed would keep the riff-raff out, but they forgot to plan for the fact that the riff-raff already had access to privileged accounts.

    In the early to mid 90s, there was no such thing as phishing. If you wanted privileged access, you had to work for it, and it was a thankless (but sometimes rewarding) task. There were a handful of folks - okay, probably a few handfuls, maybe numbering in the tens - who spent their free time doing real hacking. Those of us on the Mac side were busy poring over logs from Serial of Champions, reverse engineering the client-server communications. Through trial and error, we determined that every client request would send a two-character "token" and an argument to match. For example, double-clicking a message board to open it up might send the token "mB" with the message board's ID as the argument. Using the Keyword feature would send a Kk token, that's the only one I still remember for sure.

    We eventually compiled a list of the various "tokens" that made up the AOL protocol, and what they did. There was a developer's client extension that allowed for sending arbitrary token/args, and like most things inhouse, it was leaked to a few people. This gave some of us the ability to do things nobody else could. Way before AOL ever introduced "Mail Controls," for instance, we were able to reject mail from specified users. The feature had been built into the system from the beginning but had never been released to the public (IIRC, the then-system-devs didn't even know it was possible). We'd stumbled upon the feature by sending random tokens to the server.

    Here's a funny story about how something went from blackhat to implemented feature. At some point I discovered a token that would refresh the client's installed list of screen names. Basically, if you had AOL installed on multiple computers, or had multiple copies of the client on one machine, the list of your available screen names would inevitably become outdated across clients: if you created a new screen name on one client, then switched to another, the new name wouldn't show as a sign-on option. Likewise, if you deleted a screen name while you were logged in from one machine, that name would still (incorrectly) display as available on another machine. There was no way to synch up the list of names, so if you created screen name FoobarMan on machine A, the only way to sign onto it from machine B was to reinstall the client.

    Well, I found out that if you sent a certain token to the server, it would force a client-side refresh of the screen names on the sign-on list. Having legitimate access to publish things - did I mention I was not only a haxx0r, but also remote staff - I created a little form with a link that would send that token, thus refreshing the client's list of screen names. I passed it on to a TechLive friend who started giving it out to members who were having this (common) problem. Eventually someone inhouse got wind of it. I got reamed, my creation was removed, and a month later a shiny new feature appeared at keyword: NAMES... "Refresh Screen Name List."

    Go figure. :)

    Accessing member information is hardly anything new. AOL has a customer management system

    --
    Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!