Feeds

AOL Instant Msgr accounts easily hijacked

Hacker gold rush

  • alert
  • submit to reddit

Gartner critical capabilities for enterprise endpoint backup

Hackers exploiting a loophole in America Online's sign-up process have begun taking their pick of AOL Instant Messenger (AIM) accounts, hijacking them virtually at will.

The technique emerged early this month on AOL-Files, a meeting place for AOL hackers, where it was born as a harmless hack that allows users to establish AOL accounts with indented screen names.

The more sinister applications of the bug became clear later. "It wasn't until recently that anyone noticed that it could be used to hijack Instant Messenger accounts," says Adrian Lamo, founder of Inside-AOL and a long-time chronicler of AOL's foibles. "And it only became a significant problem in the past week."

America Online uses the same screen names across its subscription service and its instant messaging system. The bug is manifest in the way the system checks a new subscriber's chosen screen name for conflicts with existing AIM accounts.

By manipulating the nuts and bolts of AOL's sign-up form with tools long available on the Net, hackers can set the value of a two-character variable which is sent immediately before the new screen name in the sign-up process.

The sign-up ignores that variable, called uni_next_atom_typed, while checking the screen name for a conflict. But the process later appends the variable to the screen name when actually creating the account. A hacker exploits this, for example, by setting uni_next_atom_typed to "Jo" when establishing an account with the screen name "hn Doe." If "hn Doe" is available on both AOL and AIM, then the system will set up the account for "John Doe" -- even if "John Doe" is already in use.

The hacker can use the new AOL account to access John Doe's personal "buddy list," or to change John Doe's password and take over the AIM account, masquerading as the former owner.

Credit Cards Abused

Hackers initially discovered that they could set uni_next_atom_typed to two blank spaces and create indented screen names on new AOL accounts. When it developed that the same technique could be used to take over AIM accounts, something of a screen name gold rush ensued among a mostly juvenile group of hackers eagerly snatching up the most attractive names, according to Lamo.

Because AOL's sign-up process requires a valid credit card number, many of these hackers have taken up credit card fraud to feed their screen name habit. "People trade desirable screen names for [stolen] credit card numbers, which are then used to make more desirable screen names," Lamo says. "It's a vicious cycle."

Once an AOL account exists under an AIM screen name it cannot be hijacked again -- although a separate loophole allows hackers to create AOL accounts that automatically disappear from the system shortly after creation.

Users of AOL's subscription service are not vulnerable. Because of the nature of the bug, AIM users with screen names that, except for the first two letters, are already taken are also immune: i.e., if an 'hn Doe' were to have an AIM account, then a 'John Doe' would be safe from being hijacked, as the technique requires a hacker to register 'hn Doe' to take over 'John Doe'.

AIM is the most popular of the Internet instant messaging services, with 21.5 million users in the US alone, according to Internet traffic measuring company Media Metrix. In July, AOL reported that AIM had surpassed 61 million registered users worldwide, 20 million of whom were active.

AOL did not return repeated phone calls on the subject.

© 2000 SecurityFocus.com. All rights reserved.

Boost IT visibility and business value

More from The Register

next story
6 Obvious Reasons Why Facebook Will Ban This Article (Thank God)
Clampdown on clickbait ... and El Reg is OK with this
No, thank you. I will not code for the Caliphate
Some assignments, even the Bongster decline must
Fast And Furious 6 cammer thrown in slammer for nearly three years
Man jailed for dodgy cinema recording of Hollywood movie
Caught red-handed: UK cops, PCSOs, specials behaving badly… on social media
No Mr Fuzz, don't ask a crime victim to be your pal on Facebook
Barnes & Noble: Swallow a Samsung Nook tablet, please ... pretty please
Novelslab finally on sale with ($199 - $20) price tag
Ballmer leaves Microsoft board to spend more time with his b-balls
From Clippy to Clippers: Hi, I see you're running an NBA team now ...
Video of US journalist 'beheading' pulled from social media
Yanked footage featured British-accented attacker and US journo James Foley
Assange™: Hey world, I'M STILL HERE, ignore that Snowden guy
Press conference: ME ME ME ME ME ME ME (cont'd pg 94)
Call of Duty daddy considers launching own movie studio
Activision Blizzard might like quality control of a CoD film
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Scale data protection with your virtual environment
To scale at the rate of virtualization growth, data protection solutions need to adopt new capabilities and simplify current features.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?