, SecurityFocus 2000-11-29
Most AOL Instant Messenger accounts are up for grabs in hacker gold rush.
People trade desirable screen names for stolen credit card numbers, which are then used to make more desirable screen names.
The technique emerged early this month on
The more sinister applications of the bug became clear later. "It wasn't until recently that anyone noticed that it could be used to hijack Instant Messenger accounts," says Adrian Lamo, founder of
America Online uses the same screen names across its subscription service and its instant messaging system. The
By manipulating the nuts and bolts of AOL's signup form with tools long available on the net, hackers can set the value of a two-character variable that's sent immediately before the new screen name in the signup process.
The signup process ignores that variable, called
uni_next_atom_typed, while checking the screen name for a conflict. But the process later prepends the variable to the screen name when actually creating the account.
A hacker exploits this, for example, by setting
uni_next_atom_typedto "Jo" when establishing an account with the screen name "hn Doe." If "hn Doe" is available on both AOL and AIM, than the system will set up the account for "John Doe" -- even if "John Doe" is already in use.
The hacker can use the new AOL account to access John Doe's personal "buddy list," or to change John Doe's password and take over the AIM account, masquerading as the former owner.
Hackers initially discovered that they could set
uni_next_atom_typedto two blank spaces and create indented screen names on new AOL accounts. When it developed that the same technique could be used to take over AIM accounts, something of a screen name gold rush ensued among a mostly juvenile group of hackers eagerly snatching up the most attractive names, according to Lamo.
Because AOL's sign-up process requires a valid credit card number, many of these hackers have taken up credit card fraud to feed their screen name habit. "People trade desirable screen names for [stolen] credit card numbers, which are then used to make more desirable screen names," Lamo says. "It's a vicious cycle."
Once an AOL account exists under an AIM screen name it cannot be hijacked again--although a separate loophole allows hackers to create AOL accounts that automatically disappear from the system shortly after creation.
Users of AOL's subscription service are not vulnerable. Because of the nature of the bug, AIM users with screen names that, minus the first two letters, are already taken are also immune: i.e., if Hn Doe has an AIM account, then John Doe's is safe.
AIM is the most popular of the Internet instant messaging services, with 21.5 million users in the U.S. alone, according to Internet traffic measuring company Media Metrix. In July, AOL reported that AIM had surpassed 61 million registered users worldwide, 20 million of whom were active.
AOL did not return repeated phone calls on the subject.