Slashdot Mirror

← Back to Stories (view on slashdot.org)

Password Thief Ransacks AOL

Posted by ryuzaki0 on from the now-give-your-password-to-me dept.

NoWhere Man writes "Just surfed into Wired and read an article about a theif using email to get AOL passwords. Using OperaMail and a program similar to those used to hack ICQ, the sender can get the password to anyone's account on AOL; all the user has to do is open the email. " You've Got A Password! (Done in sing-song voice).

1 of 149 comments (clear)

  1. E-mail attachments by jflynn · · Score: 4

    If I read the article right, the problem is that AOL users are opening an executable attachment to an e-mail. Sorry, but there is no way in the world to protect against this. People often say it doesn't matter on a Linux system since only user files can be affected, but this is little comfort to me. I can easily re-install a broken system. Protecting the user data I've created since last backup is far more important to me.

    Users seem to be requesting that AOL identify all possible malicious attachments and install virus checking software that will identify them. AOL is quite right in saying this is hopeless. The only solution presently is for AOL users to grow a brain (after the appropriate education) and refuse to open attachments they did not solicit.

    It would be nice if attachments could run/open on a VMWare virtual machine or something like it created specifically for the purpose, with monitors for suspicious activity. If the virtual machine gets destroyed, no biggee. Delete it and create it again. I doubt this is practical at the consumer level now however.

    No, I have to agree with AOL that this problem is between keyboard and chair.

    There have been far more serious security problems in the Microsoft world of late that would destroy a system on merely opening a mail or viewing a web page. These are real holes that need fixing, or better, making impossible.

    I have never used HTML mail, and I wish no one would. Almost all of it I get is spam anyway. The internet was designed around text for a good reason, and even though HTML is text, any language that can embed executables is still dangerous. Limiting mail HTML to a formatting subset like Slashdot's would be an acceptable compromise.