Feeds

AOL Instant Msgr accounts easily hijacked

Hacker gold rush

  • alert
  • submit to reddit

The Essential Guide to IT Transformation

Hackers exploiting a loophole in America Online's sign-up process have begun taking their pick of AOL Instant Messenger (AIM) accounts, hijacking them virtually at will.

The technique emerged early this month on AOL-Files, a meeting place for AOL hackers, where it was born as a harmless hack that allows users to establish AOL accounts with indented screen names.

The more sinister applications of the bug became clear later. "It wasn't until recently that anyone noticed that it could be used to hijack Instant Messenger accounts," says Adrian Lamo, founder of Inside-AOL and a long-time chronicler of AOL's foibles. "And it only became a significant problem in the past week."

America Online uses the same screen names across its subscription service and its instant messaging system. The bug is manifest in the way the system checks a new subscriber's chosen screen name for conflicts with existing AIM accounts.

By manipulating the nuts and bolts of AOL's sign-up form with tools long available on the Net, hackers can set the value of a two-character variable which is sent immediately before the new screen name in the sign-up process.

The sign-up ignores that variable, called uni_next_atom_typed, while checking the screen name for a conflict. But the process later appends the variable to the screen name when actually creating the account. A hacker exploits this, for example, by setting uni_next_atom_typed to "Jo" when establishing an account with the screen name "hn Doe." If "hn Doe" is available on both AOL and AIM, then the system will set up the account for "John Doe" -- even if "John Doe" is already in use.

The hacker can use the new AOL account to access John Doe's personal "buddy list," or to change John Doe's password and take over the AIM account, masquerading as the former owner.

Credit Cards Abused

Hackers initially discovered that they could set uni_next_atom_typed to two blank spaces and create indented screen names on new AOL accounts. When it developed that the same technique could be used to take over AIM accounts, something of a screen name gold rush ensued among a mostly juvenile group of hackers eagerly snatching up the most attractive names, according to Lamo.

Because AOL's sign-up process requires a valid credit card number, many of these hackers have taken up credit card fraud to feed their screen name habit. "People trade desirable screen names for [stolen] credit card numbers, which are then used to make more desirable screen names," Lamo says. "It's a vicious cycle."

Once an AOL account exists under an AIM screen name it cannot be hijacked again -- although a separate loophole allows hackers to create AOL accounts that automatically disappear from the system shortly after creation.

Users of AOL's subscription service are not vulnerable. Because of the nature of the bug, AIM users with screen names that, except for the first two letters, are already taken are also immune: i.e., if an 'hn Doe' were to have an AIM account, then a 'John Doe' would be safe from being hijacked, as the technique requires a hacker to register 'hn Doe' to take over 'John Doe'.

AIM is the most popular of the Internet instant messaging services, with 21.5 million users in the US alone, according to Internet traffic measuring company Media Metrix. In July, AOL reported that AIM had surpassed 61 million registered users worldwide, 20 million of whom were active.

AOL did not return repeated phone calls on the subject.

© 2000 SecurityFocus.com. All rights reserved.

Build a business case: developing custom apps

More from The Register

next story
iPad? More like iFAD: We reveal why Apple fell into IBM's arms
But never fear fanbois, you're still lapping up iPhones, Macs
Amazon says Hachette should lower ebook prices, pay authors more
Oh yeah ... and a 30% cut for Amazon to seal the deal
Philip K Dick 'Nazi alternate reality' story to be made into TV series
Amazon Studios, Ridley Scott firm to produce The Man in the High Castle
Nintend-OH NO! Sorry, Mario – your profits are in another castle
Red-hatted mascot, red-colored logo, red-stained finance books
Sonos AXES support for Apple's iOS4 and 5
Want to use your iThing? You can't - it's too old
Joe Average isn't worth $10 a year to Mark Zuckerberg
The Social Network deflates the PC resurgence with mobile-only usage prediction
Chips are down at Broadcom: Thousands of workers laid off
Cellphone baseband device biz shuttered
Feel free to BONK on the TUBE, says Transport for London
Plus: Almost NOBODY uses pay-by-bonk on buses - Visa
Twitch rich as Google flicks $1bn hitch switch, claims snitch
Gameplay streaming biz and search king refuse to deny fresh gobble rumors
Stick a 4K in them: Super high-res TVs are DONE
4,000 pixels is niche now... Don't say we didn't warn you
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.