Feeds

AOL Instant Msgr accounts easily hijacked

Hacker gold rush

  • alert
  • submit to reddit

Providing a secure and efficient Helpdesk

Hackers exploiting a loophole in America Online's sign-up process have begun taking their pick of AOL Instant Messenger (AIM) accounts, hijacking them virtually at will.

The technique emerged early this month on AOL-Files, a meeting place for AOL hackers, where it was born as a harmless hack that allows users to establish AOL accounts with indented screen names.

The more sinister applications of the bug became clear later. "It wasn't until recently that anyone noticed that it could be used to hijack Instant Messenger accounts," says Adrian Lamo, founder of Inside-AOL and a long-time chronicler of AOL's foibles. "And it only became a significant problem in the past week."

America Online uses the same screen names across its subscription service and its instant messaging system. The bug is manifest in the way the system checks a new subscriber's chosen screen name for conflicts with existing AIM accounts.

By manipulating the nuts and bolts of AOL's sign-up form with tools long available on the Net, hackers can set the value of a two-character variable which is sent immediately before the new screen name in the sign-up process.

The sign-up ignores that variable, called uni_next_atom_typed, while checking the screen name for a conflict. But the process later appends the variable to the screen name when actually creating the account. A hacker exploits this, for example, by setting uni_next_atom_typed to "Jo" when establishing an account with the screen name "hn Doe." If "hn Doe" is available on both AOL and AIM, then the system will set up the account for "John Doe" -- even if "John Doe" is already in use.

The hacker can use the new AOL account to access John Doe's personal "buddy list," or to change John Doe's password and take over the AIM account, masquerading as the former owner.

Credit Cards Abused

Hackers initially discovered that they could set uni_next_atom_typed to two blank spaces and create indented screen names on new AOL accounts. When it developed that the same technique could be used to take over AIM accounts, something of a screen name gold rush ensued among a mostly juvenile group of hackers eagerly snatching up the most attractive names, according to Lamo.

Because AOL's sign-up process requires a valid credit card number, many of these hackers have taken up credit card fraud to feed their screen name habit. "People trade desirable screen names for [stolen] credit card numbers, which are then used to make more desirable screen names," Lamo says. "It's a vicious cycle."

Once an AOL account exists under an AIM screen name it cannot be hijacked again -- although a separate loophole allows hackers to create AOL accounts that automatically disappear from the system shortly after creation.

Users of AOL's subscription service are not vulnerable. Because of the nature of the bug, AIM users with screen names that, except for the first two letters, are already taken are also immune: i.e., if an 'hn Doe' were to have an AIM account, then a 'John Doe' would be safe from being hijacked, as the technique requires a hacker to register 'hn Doe' to take over 'John Doe'.

AIM is the most popular of the Internet instant messaging services, with 21.5 million users in the US alone, according to Internet traffic measuring company Media Metrix. In July, AOL reported that AIM had surpassed 61 million registered users worldwide, 20 million of whom were active.

AOL did not return repeated phone calls on the subject.

© 2000 SecurityFocus.com. All rights reserved.

Secure remote control for conventional and virtual desktops

More from The Register

next story
Facebook pays INFINITELY MORE UK corp tax than in 2012
Thanks for the £3k, Zuck. Doh! you're IN CREDIT. Guess not
Facebook, Apple: LADIES! Why not FREEZE your EGGS? It's on the company!
No biological clockwatching when you work in Silicon Valley
Happiness economics is bollocks. Oh, UK.gov just adopted it? Er ...
Opportunity doesn't knock; it costs us instead
YARR! Pirates walk the plank: DMCA magnets sink in Google results
Spaffing copyrighted stuff over the web? No search ranking for you
In the next four weeks, 100 people will decide the future of the web
While America tucks into Thanksgiving turkey, the world will be taking over the net
Microsoft EU warns: If you have ties to the US, Feds can get your data
European corps can't afford to get complacent while American Big Biz battles Uncle Sam
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.