Feeds

AOL Instant Msgr accounts easily hijacked

Hacker gold rush

  • alert
  • submit to reddit

Security for virtualized datacentres

Hackers exploiting a loophole in America Online's sign-up process have begun taking their pick of AOL Instant Messenger (AIM) accounts, hijacking them virtually at will.

The technique emerged early this month on AOL-Files, a meeting place for AOL hackers, where it was born as a harmless hack that allows users to establish AOL accounts with indented screen names.

The more sinister applications of the bug became clear later. "It wasn't until recently that anyone noticed that it could be used to hijack Instant Messenger accounts," says Adrian Lamo, founder of Inside-AOL and a long-time chronicler of AOL's foibles. "And it only became a significant problem in the past week."

America Online uses the same screen names across its subscription service and its instant messaging system. The bug is manifest in the way the system checks a new subscriber's chosen screen name for conflicts with existing AIM accounts.

By manipulating the nuts and bolts of AOL's sign-up form with tools long available on the Net, hackers can set the value of a two-character variable which is sent immediately before the new screen name in the sign-up process.

The sign-up ignores that variable, called uni_next_atom_typed, while checking the screen name for a conflict. But the process later appends the variable to the screen name when actually creating the account. A hacker exploits this, for example, by setting uni_next_atom_typed to "Jo" when establishing an account with the screen name "hn Doe." If "hn Doe" is available on both AOL and AIM, then the system will set up the account for "John Doe" -- even if "John Doe" is already in use.

The hacker can use the new AOL account to access John Doe's personal "buddy list," or to change John Doe's password and take over the AIM account, masquerading as the former owner.

Credit Cards Abused

Hackers initially discovered that they could set uni_next_atom_typed to two blank spaces and create indented screen names on new AOL accounts. When it developed that the same technique could be used to take over AIM accounts, something of a screen name gold rush ensued among a mostly juvenile group of hackers eagerly snatching up the most attractive names, according to Lamo.

Because AOL's sign-up process requires a valid credit card number, many of these hackers have taken up credit card fraud to feed their screen name habit. "People trade desirable screen names for [stolen] credit card numbers, which are then used to make more desirable screen names," Lamo says. "It's a vicious cycle."

Once an AOL account exists under an AIM screen name it cannot be hijacked again -- although a separate loophole allows hackers to create AOL accounts that automatically disappear from the system shortly after creation.

Users of AOL's subscription service are not vulnerable. Because of the nature of the bug, AIM users with screen names that, except for the first two letters, are already taken are also immune: i.e., if an 'hn Doe' were to have an AIM account, then a 'John Doe' would be safe from being hijacked, as the technique requires a hacker to register 'hn Doe' to take over 'John Doe'.

AIM is the most popular of the Internet instant messaging services, with 21.5 million users in the US alone, according to Internet traffic measuring company Media Metrix. In July, AOL reported that AIM had surpassed 61 million registered users worldwide, 20 million of whom were active.

AOL did not return repeated phone calls on the subject.

© 2000 SecurityFocus.com. All rights reserved.

Choosing a cloud hosting partner with confidence

More from The Register

next story
The 'fun-nification' of computer education – good idea?
Compulsory code schools, luvvies love it, but what about Maths and Physics?
Ex-US Navy fighter pilot MIT prof: Drones beat humans - I should know
'Missy' Cummings on UAVs, smartcars and dying from boredom
Facebook, Apple: LADIES! Why not FREEZE your EGGS? It's on the company!
No biological clockwatching when you work in Silicon Valley
Happiness economics is bollocks. Oh, UK.gov just adopted it? Er ...
Opportunity doesn't knock; it costs us instead
'Cowardly, venomous trolls' threatened with TWO-YEAR sentences for menacing posts
UK government: 'Taking a stand against a baying cyber-mob'
Sysadmin with EBOLA? Gartner's issued advice to debug your biz
Start hoarding cleaning supplies, analyst firm says, and assume your team will scatter
Doctor Who's Flatline: Cool monsters, yes, but utterly limp subplots
We know what the Doctor does, stop going on about it already
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.