AOL Still Working On AIM Security Hole 118
TeacherReviews.com writes: "According to this article at Newsbytes, AOL has been aware that users' screen names and credit cards can be stolen from not only AIM 4.3, but earlier versions of the instant messenger as well. This problem, which allegedly can happen to any AIM user, was first made public by Inside-AOL.com months ago, but AOL decided not to respond until this Thursday under increased pressure from Inside-AOL.com and other media." This is just the kind of news I could do without, having recently been persuaded to register with AIM and give GAIM a try.
Why Prosecute at ALL??? (Score:5)
Time to log on to Jabber (Score:1)
Re:ICQ (Score:1)
Re:AIM versus other clients (Score:1)
Ah, but security for AOL's users or for the other companies'?
AOL must be insane (Score:1)
This sort of thing astounds me. Not only is it unbelievably bad business, but it's blood in the water for the litigation sharks circling out there. A big juicy target like AOL would be ripe for a class action suit as we've seen targeted against so many other businesses in the past.
Re:2 questions (Score:5)
The reason everyone is talking about this hole allowing people to get credit cards is not because you can somehow find out the credit card number used to open an AOL account. In fact, if there is an AOL account with the same name as an AIM account, it won't work. People are talking about credit card fraud because with someone's AIM password and buddy list, it is a hell of a lot easier to do some social engineering, and that is exactly what some people are doing.
The way this hole works is by changing a couple variables during runtime in AOL while creating a new screen name. Apparently, there is a variable corresponding to the screen name you want to create, and also a variable that contains two characters which are later prepended to the first variable. The hole is that if you put the first two characters of the name you want to steal in the second variable, and the rest of the name in the first variable, AOLs server will only check the first variable against its user name database.
A much more detailed explanation here
Re:$50 (Score:1)
Re:Why Prosecute at ALL??? (Score:2)
Nothing. The individual involved committed a crime; that he did no damage and had no malicious intent is an argument for a lenient sentence, not a defence.
Re:So use Jabber (Score:2)
---
Rob Flynn
Didn't Microsoft Mention this? (Score:2)
If I remembrer correctly, Microsoft, Before They got out of the AIM Network to concentrate on their own IM Userbase, Mentioned that there was a huge security hole in AIM and AOL Blew it off as MS FUD. Maybe they knew about it all along and kept it a secret figuring that someone would find it eventually.
Personally, I use MSN Messanger. I used to use ICQ then AOL Got hold of it and turned it into the ultimate example of bloatware. How many people can remember when it was a 1.4 meg download? I think it's up to 6 Megs now, has all kind of stupid things like web servers and greeting cards that are almost never used, and they made the E-mail notification into a full featured POS E-mail program that never would read E-mail because it would always screw up the Downloading of headers. and I never used AIM for obvious reasons (It's From AOL)
The only IM Clients I would Even touch right now is Yahoo Messanger and MSN Messanger. and since MSN Messanger currently has exactly what ICQ had before it became a bloat monster, Thats the one I Use
--
This happened to me... (Score:1)
Now that the problem has been made public, is there anything I can do to get it back?
~Panic~
The Linux version... (Score:1)
hehe.
;)
Re:AIM versus other clients (Score:1)
Just my thoughts - I don't see any new IMs catching on as quickly as AIM and ICQ did, because they were the first (or first mainstream) ones availiable.
Re:Leftist *trendies* are in vogue (Score:1)
Re:AIM versus other clients (Score:1)
I agree that ICQ for windows has begun to suck; i hate that they are using it to advertise, and its way more bloated then it should be. Although the same can be said for AIM, which is why i'm still using one of the 1.x releases. At any rate the linux clones seem to be coming along nicely, so i may switch to that.
AIM holes and such (Score:1)
This would explain the reason why one of the companies I work for, The Williams Companies, force us now to use this really crappy version of ICQ Groupware that I don't even think is being developed anymore.
This is a multi-billion dollar company that is forcing it's tech support (we support 30,000+ users and three different call centers) to use this communications method that show's us "away" half the time.
This article, along with a few others, was shown to our managment saying "ack look what they can do to our system intergrity!" when the people pointing out the problem didn't even really know what they are talking about in the first place...
Re:The Linux version... (Score:1)
Hmmm. What service to use now . . . (Score:1)
ICQ? Hmmm. Nope. Used to be good, until AOL bought it. Now I wonder whether UINs are going to be vulnerable . .
Yahoo! Messenger? Ah, a prima donna company that tries to take ownership of its users' pages. [internetnews.com] I think I'd be better off with AOL . .
MSN Messenger? Ah, a "reliable," "free*" product, brought to you by the kind folks at Micro$oft.
PowWow? Honestly, how many people do you know that have even heard of it, let alone have bothered to create an account?
* Subject to terms decided by Microsoft. By signing up for MSN Messenger service, you hereby agree to give Microsoft Corporation (hereafter referred to as "We Own Your Soul") sole ownership and possession of any and all inventions, ideas, etc. produced by you (hereafter referred to as "Putty-brain"), including any electrochemical developments and all genetic by-products. These terms are subject to change at our discretion.
Re:Oxy-moron? (Score:1)
AOL Still Working On AIM Security Hole (Score:1)
Re:ICQ (Score:1)
ummm? (Score:1)
If the hole's limited to AIM, and AIM users don't need to provide anything but an email address to access the service, i can't figure how anyone could steal anything more than that.
In the end they should enforce upon users a permissions based system. Each account gets a master account and 6 user accounts. They should explain the master account as being a sort of "root" account, only use it when you need to change your billing info or your screen names. And then disable "remote" access to it - ei AIM. That'd their worries right there, but at this point it'd cost them millions in order to notify everyone of the change and what to do about it.
Re:AIM versus other clients (Score:1)
Get your facts straight...
Re:tell me about it (Score:1)
Re:Why Prosecute at ALL??? (Score:2)
The answer to this question is actually quite simple:
Corporations, and even the government are finally learning that the net is the great equalizer, and they nave no control over it. In the beginning both the gov't and the corps thought they could control and manipulate things, but over time they learned that they had zero control.
This is a frightening thing to learn for a person or organization who thought they had utlimate power. So in order to gain back some of the power they lost by entering the internet community they will prosecute to the hilt in an attempt to set examples, because there probably are one or two people who won't hack or crack after they read those Time and Newsweek cover stories about the 14 year old kids who lost their computers and went to jail after hacking the KFC website looking for their secret-sauce recipe.
The same thing goes for the gov't as well. They ALWAYS over-react... and it's policy. Look at history. Recent examples being Ruby Ridge, Waco, and removing Elian Gonzales from that house in Miami. They go in full force to set examples in the hope that citizens will toe the line and be good little citizens and not do anything except sit around, watch Jerry Springer, and gain weight.
Rich...
Re:AIM versus other clients (Score:2)
AIM is not life-or-death. The only thing they put at risk here is their Good Name (cough). You don't like it? Start your own IM network, and make it "standards-compliant." I'll be too busy chatting with all of my AIM and ICQ buddies to care.
The AIM 4.x license/TOS (Score:3)
Re:Why would anyone leave IRC for proprietary? (Score:2)
Re:Hmmmm (Score:4)
Re:Why not use ICQ instead (Score:2)
ICQ is a decent product in my opinion, and the opinions of many. Just because it is owned by AOL doesn't mean it is a horrible product. I am pretty sure you are using either Netscape or Internet Explorer. Both of these companies are hated and bashed a lot for their problems and the way they do business. However, that doesn't mean that they don't do something right once in a while.
Well, that is their choice, however, for the year or two that they've owned ICQ, I've never had to stop using the older versions. At this point I have no need to "upgrade" to AIM 4.3 so this doesn't really affect us yet. If they do merge the two and force everyone to upgrade, I see the potential for people finding something else similar to ICQ because it has a lot better features than AIM. In fact, it could be possible for a rogue ICQ network running ICQ groupware servers. I've done that before, and even though that only runs on NT, I believe there is a unix or linux clone that someone made.
Furthermore, ICQ's security is pathetic. Messages are sent person-to-person directly, opening up unnecessary ports on your system. Your password is sent in plaintext (as opposed to AIM's brilliant method of XOR'ing it with "TicToc") so anyone with a sniffer could find it.
Excluding the peer-to-peer part, the exact same could be said for pop/sendmail based email systems. However, we all know how widely used it is. Email, and to a greater extent instant messaging, should not be your main form of communication. I use ICQ to keep in touch with friends and family, not to send credit card orders or discuss top secret plans. I don't want people to read my instant messages, but if they do it will not actually hurt me. It is basically just a toy, like talking on walkie talkies or sending a postcard. If you want some form of encryption, you can encode your messages with pgp quite easily, and I believe there may be an ICQ plugin for doing that as well. Also, as far as security, you mentioned another thing...that the messages from ICQ are peer to peer and do not go through the server. That is one advantage over AIM. If my messages go directly to the person I want to send them to, how can AOL log them?
Re:AOL...not AIM (Score:4)
No. Is it so hard to read [upside.com] the damn article first?
Re:Why Prosecute at ALL??? (Score:3)
This may be seen as O-T but, why do companies insist on prosecuting the "illegal entrant" who just plays around on the system, and does no damage other than, possibly, to a company's reputation? In fact, most of the hackers would just explore what they could do, and then send a post to people like Kevin Poulson, or Adrian Lamo describing a WEAKNESS
There are a variety of reasons. For example, you arrive at home and find a note on your fridge:
'You really need to get a better lock on your front door. Also, you forgot to carry the two when you balanced last month's bank statement, your milk expired yesterday and you're paying way too much for car insurance. P.S. Purple underwear? What were you thinking? Signed, Mr. 1337'
Now, as a regular reader of urban myths, the question you have to ask yourself is: 'Did that guy stick my toothbrush up his butt?' or 'Will that embarrasing home video in my underwear drawer end up on a porn site?'
On the other hand, if all Mr. 1337 did was get into your back yard and have a swim in the pool, it's probably not a big deal.
Re:Something I did a while back. (Score:1)
Maybe soon someone will figure out a way to gather e-mail addresses by spidering web pages. Could nebby101@hotmail.com fall into the hands of spammers? Could all e-mail addresses be gathered this way? Judging by some mail that I get, "100 MILLION EMAIL ADDRESSES FOR $49.95" is a good place to start checking.
uh. (Score:1)
where do credit cards come into the picture for AIM? this makes 0 sense to me.
Re:Something I did a while back. (Score:1)
hrm. the act of obtaining them or posession of them? might be illegal to run a bot in such a manner, but owning a list of valid im names? someone would just have to harvest them and sell the list. i'm stunned that nobody has done this yet.
but talk about intrusive! forget a phonecall during dinner, imagine the phone throwing the handset at your head!
My .02,
Re:2 questions (Score:3)
The Hole Was Fixed (Score:1)
"12/1/00: Better late than never - despite missing their stated deadline for a solution, America Online has managed to put a stop to the theft of Instant Messenger subscriber screen names, according to information received by Inside-AOL.com. We hope that their fix will prove to be a lasting one, and find it greatly satisfying to see that even the largest of companies cannot ignore public pressure indefinitely."
so, AOL is not completly negligent.
credit card numbers? (Score:4)
Re:Didn't Microsoft Mention this? (Score:1)
Use TiK [sourceforge.net]. It's l33t.
Re:Why Prosecute at ALL??? (Score:1)
Re: (Score:1)
Just great (Score:1)
yeah yeah (Score:1)
How long did it take them to "fix" vb script holes in outlook again?
Maybe... (Score:2)
Re:2 questions (Score:1)
Re:ICQ (Score:1)
hey timothy (Score:2)
But just so you know, if you run into problems, try something else.
-----
How does AOL treat there own web site (Score:1)
________
AIM versus other clients (Score:3)
They never elaborate, nor specify exactly what criteria have to be met, so others can meet it and get use of their network.
The FTC was considering possibly forcing them to open up instant messaging, but seemed to back down when AOL said they refused due to security of their customers.
YET, here we have AOL knowing about a problem for MONTHS and not fixing it?
Smells like time for a few senators and congressmen to say a few words to AOL about "equal standards".
Open your protocol back up, AOL.
AOL...not AIM (Score:1)
(1) The exploit was first posted on observers.net
(2) It only applys to AOL accounts, and not AIM
(3) It was patched about a month ago.
-Eternal
ICQ (Score:2)
--------------------------------------
To protect yourself... (Score:3)
(Note: I'm not trying to imply that it's ok for there to be such a huge security hole by posting these instructions to slashdot. I just want to point out that it's possible to protect your account without going through too much trouble.)
Moderators: I'm above the karma cap, but I'm still a karma whore, so do whatever you want to this post.
--
Re:The Linux version... (Score:1)
-- Fester
Re:Why Prosecute at ALL? - They do it out of fear. (Score:1)
Re:2 questions (Score:2)
Re:Why would anyone leave IRC for proprietary? (Score:1)
As for the alternate versions of ICQ, I believe that I used a version in the past for linux entitled Licq, and had no complaints with it's operation. And AIM Express (the java applet) is also a pretty nice little utility, especially when combined with the latest version of AIM that stores your buddy list on their servers, as well as locally. AIMe's great when you're at some public terminal or a non-windoze box to be able to instant message a friend with a question. Not to mention that keeping your buddylist stored on their server makes it much easier for me to keep my list coordinated between all three of my machines.
--------------------------------------
Re:How does AOL treat there own web site (Score:1)
Re:WTF (Score:1)
1) Just because he's sentenced to 19 years, doesn't mean he'll do 19 years.
2) Breaking into a computer is viewed by many corporations in the same way as if you broke into their company headquarters, poked around in their file cabinets (if there are any), and then left a note with your name, address and home phone explaining who you were, what you had done, and that you "didn't see anything confidential, steal stuff, or otherwise molest important items."
I'm sorry to have to say it, but this kid was a friggin' idiot.
Re:Why Prosecute at ALL??? (Score:4)
The answer is simply because you can't let anyone get away with it (in general). If someone hacks your system, doesn't seem to break anything, and simply sends you an anonymous message saying so, you REALLY don't know what went on. He may have taken data that you didn't notice, put a trojan or something else you didn't notice, opened up other security holes, etc. Just because someone says that they didn't do anything doesn't mean that they didn't. I think AOL went a bit far in prosecuting this guy if he actually did help them patch the hole, but it doesn't change the fact that he shouldn't have been mucking around on someone else's network to begin with.
Looks Like It's Closed (Score:3)
WTF (Score:4)
The average prison time served after conviction for homicide, willful murder, is 5 years, 11 months. [house.gov]
First degree computer tampering? A 19 year old with obvious talent belongs in federal prison. You bet.
The greatest crime you can commit in America is first degree curiousity. [2600.com]
Re:Why Prosecute at ALL??? (Score:2)
In theory this is true, but try it in real life. I have my money in the bank down the street. I still can't try to break in "just to see if my money is secure". To me, computer systems aren't really any different than property for this type of thing. You aren't allowed to muck around in either of them if they aren't yours, simply because we can't factor intent into it. If you get caught before you have done anything wrong, does that mean you weren't going to do anything? Or you just didn't get the chance to? It doesn't matter, because you shouldn't have been there in the first place.
Why open source protocols would have solved this (Score:3)
Re:Something I did a while back. (Score:2)
AT&T gets something in the neighborhood of a million or two bounces from this type of spam, per day.
--
"Don't trolls get tired?"
Re:Doesn't matter anyway (Score:1)
geeze, tim (Score:1)
> without, having recently been persuaded to
> register with AIM and give GAIM a try.
We've already had to deal with Taco this week and his anti-Java stance. Do you think the Slashdot guys could get any more elitist about things?
-Chris
...More Powerful than Otto Preminger...
Re:Why Prosecute at ALL??? (Score:1)
Re:Something I did a while back. (Score:1)
Your not describing anything new. People have harvested email addresses for a while. Just describe how to harvest email addresses and then s/email address/screen name/g and bam your post.
AOL is not as evil as most people like think. With their AIM serivce they provide all the tools to have none/some/all privacy and still chat. People just don't used them and then get their panties in a wad.
What I disagree with is the warning system which I think is an agressive action and not defensive like they claim. Blocking a user is defensive. Warning actually effect the other screen name's abiliy to use the service which I think is wrong even if I don't agree on how they are useing or taking advantage of it.
Sorry it turned into a rant.
Leknor
wrong! standalone AIM is vulnerable (Score:1)
Re:2 questions (Score:1)
Re:Something I did a while back. (Score:2)
Re:Something I did a while back. (Score:2)
Also, the trick is finding "active" screen names. The ones coming in and out of chat rooms are the best cases for that, afaik. Ones that have big buddy lists probably are too.
There'd have to be a way to automate the process of "hacking" an account, getting the buddy list, and then doing the same on all of those, rinse, repeat.
I think you need to use that AOL tool though, so it's probably an impossibility to automate such a process.
Re:credit card numbers? (Score:2)
Re:yeah yeah (Score:1)
Wait, i was under another impression (Score:1)
Re:AIM versus other clients (Score:1)
Ugh, you know what, who the fuck cares what protocol they use. Its so incredibly simple to design another one, why waste time trying to get aol to open something that is reproduced virtually without effort. Look how fast icq caught on...and it has a whole other protocol. Don't give me that everyone has AIM crap...icq is proof that any protocol will do.
Re:To protect yourself... (Score:1)
--
Re:AOL...not AIM (Score:1)
Irony... (Score:4)
if you bite the hand that helps you... will it reach again?
Re:Why not use ICQ instead (Score:3)
Furthermore, ICQ's security is pathetic. Messages are sent person-to-person directly, opening up unnecessary ports on your system. Your password is sent in plaintext (as opposed to AIM's brilliant method of XOR'ing it with "TicToc") so anyone with a sniffer could find it.
ICQ and AIM are supported in Everybuddy [everybuddy.com] for Linux. Good app, with no ad banners or ugly "skins" or "wings" like Odigo.
Re:uh. (Score:1)
you create an aol account that over gens the AIM account which inturn you need a CC inorder for billing to be authenticated.
satanklawz
root@inside-aol.com
Something I did a while back. (Score:5)
Of course, the system had to be automated, so I decided to go the route of chat rooms. I wrote a AIM TOC client in Java (and some bot stuff too, but that's another story), hooked it up to some scripts, and before I knew it I had a list of like 500k or so screen names (acquired over a period of like 2 weeks of sitting and harvesting)
It was fully automated, grabbing the latest open chat rooms from the web at AOL's site and parsing them out via perl script. It was pretty scary, actually. Once or twice I IM'ed a few random ones just to see if I really was getting screen names of real people, and sure enough they were always like "Who the hell is this?"
I did some more research and realized that was I was doing was against AOLs terms of use, so before it got out of control, I stopped. The names I had gotten, anyway, were just stupid AOL people who were usually less than 14 years old and probably asked "a/s/l" several times an hour.
This little hole though makes me wonder if there's a way to get a list of ALL the screen names.. the college kids, the working adults, not just the AOL geeks who use the "AIM chat rooms".
You shouldn't do it because of the legal implications, but I'm betting someone would pay a hefty sum for a list of several million active screen names for IMing advertisements to. I had a whole plan of this myself, but of course that's WAY against their terms of use.
Or you could just OSS the whole list
Re:2 questions (Score:1)
Re:Hmmmm (Score:1)
--
Re:2 questions (Score:1)
Re:Doesn't matter anyway (Score:1)
um... we kind of forgot your billing information, username and password.
Could you tel us what it is again?
stupidity exploits work rather well on AOL users.
Oxy-moron? (Score:5)
"// this is the most hacked, evil, bastardized thing I've ever seen. kjb"
Re:AIM versus other clients (Score:2)
Start your own IM network, and make it "standards-compliant."
We already did. It's called Jabber [jabber.com].
I'll be too busy chatting with all of my AIM and ICQ buddies to care.
There are already Jabber-to-TOC and Jabber-to-ICQ gateways that let Jabber users chat with users on other servers, and they're getting ready to install MSN and Yahoo! gateways.
AIM Buffer Overflows (Score:1)
Yet another reason why I don't use Windows or AOL.
Re:ass (Score:2)
Re:Why Prosecute at ALL??? (Score:2)
--
Re:The AIM 4.x license/TOS (Score:2)
--
Re:Something I did a while back. (Score:2)
The first method is to generate every possible screen name (x characters) and do those. This is too much and too slow, impossible.
The alternative method is to generate words off a dictionary (pseudo words) using syllables and stuff, since alot of screen names are not real words. This actually worked pretty well in guessing actual names, but again these screen names were usually not active for ages.
Re:Why Prosecute at ALL??? (Score:2)
How about a creating a (free) system like zeroknowledge where you're anonymous unless the maintainers of the system agree that you've done something bad? Wait, I already see a few problems with that idea:
- I'm not sure I would want to go through even that little bit of trouble after thinking of some random possible security hole. I just want to see if it's there and if it is, tell the people who own the system.
- Malicious crackers would probably take a hint and decide to use zeroknowledge (but at least they would become aware of the idea of the idea of white-hat hacking, and they'd still have to pay for zk (I think)).
- Setting up that kind of service might legitimize the idea that "hacking other people's computers is bad".
- There's a huge incentive to crack one of the routers for this system: you get to watch people crack other systems, and then you can either "make" them do bad things on the systems they've cracked (and get them in trouble) or crack the systems yourself.
--
Re:Why Prosecute at ALL??? (Score:2)
When someone breaks into a computer, they can at most delete files or use your DSL for a DoS.
Or steal banking records, customer lists, credit card numbers, personal email etc. Businesses can easily be seen to live in their computers. That's where all of their information resides. The question was actually why do businesses see a need to prosecute, I just used a home analogy since many people can relate to that better.
Besides, this person didn't even damage anything. Manslaughter has a much lower sentance.
I do disagree with the harshness of the penelty. It certainly shouldn't exceed manslaughter or rape.
So get decent security and don't fret when someone breaks in to your computer. Besides, merely exploring a network (a la nmap etc) is interesting and educational.
Nmap is more like driving through a neighborhood seeing how many people have decent locks and alarms and who doesn't. At most it is like trying a door knob w/o opening the door (note that in the real world, even that can get you in trouble, especially if you have a record). To me, it isn't cracking until an exploit is tried.
Re:credit card numbers? (Score:3)
From the Article in Security Focus:
Credit Cards Abused
Hackers initially discovered that they could set uni_next_atom_typed to two blank spaces and create indented screen names on new AOL accounts. When it developed that the same technique could be used to take over AIM accounts, something of a screen name gold rush ensued among a mostly juvenile group of hackers eagerly snatching up the most attractive names, according to Lamo.
Because AOL's sign-up process requires a valid credit card number, many of these hackers have taken up credit card fraud to feed their screen name habit. "People trade desirable screen names for [stolen] credit card numbers, which are then used to make more desirable screen names," Lamo says. "It's a vicious cycle."
For full story visit link:
http://www.securityfocus.com/news/119 [securityfocus.com]
--------
Maquina
http://director.chessmasters.com/maquina [chessmasters.com]
Re:Something I did a while back. (Score:2)
Surely it would be better to give each user a name (which is public) and a password (which is private). Then if users don't want to receive messages from people they don't know, a simple option in the AIM client would do it.
Doesn't matter anyway (Score:2)
Not everyone who uses AIM is vulnerable... (Score:3)
Once an AOL account exists under an AIM screen name it cannot be hijacked again--although a separate loophole allows hackers to create AOL accounts that automatically disappear from the system shortly after creation.
Users of AOL's subscription service are not vulnerable. Because of the nature of the bug, AIM users with screen names that, minus the first two letters, are already taken are also immune: i.e., if Hn Doe has an AIM account, then John Doe's is safe.
Makes me glad I already have an AOL account as a backup dialup...
So use Jabber (Score:2)