Digg this story   Add to del.icio.us  
Hijackers take AIM accounts
Kevin Poulsen, SecurityFocus 2000-11-29

Most AOL Instant Messenger accounts are up for grabs in hacker gold rush.

Hackers exploiting a loophole in America Online's signup process have begun taking their pick of AOL Instant Messenger (AIM) accounts, hijacking them virtually at will.

The technique emerged early this month on AOL-Files, a meeting place for AOL hackers, where it was born as a harmless hack that allows users to establish AOL accounts with screen names that are -- unconventionally -- indented.

The more sinister applications of the bug became clear later. "It wasn't until recently that anyone noticed that it could be used to hijack Instant Messenger accounts," says Adrian Lamo, founder of Inside-AOL and a longtime chronicler of AOL's foibles. "And it only became a significant problem in the past week."

America Online uses the same screen names across its subscription service and its instant messaging system. The bug is in the way the system checks that a new AOL subscriber's chosen screen name doesn't conflict with existing AIM accounts.

By manipulating the nuts and bolts of AOL's signup form with tools long available on the net, hackers can set the value of a two-character variable that's sent immediately before the new screen name in the signup process.

The signup process ignores that variable, called uni_next_atom_typed, while checking the screen name for a conflict. But the process later prepends the variable to the screen name when actually creating the account.

A hacker exploits this, for example, by setting uni_next_atom_typed to "Jo" when establishing an account with the screen name "hn Doe." If "hn Doe" is available on both AOL and AIM, than the system will set up the account for "John Doe" -- even if "John Doe" is already in use.

The hacker can use the new AOL account to access John Doe's personal "buddy list," or to change John Doe's password and take over the AIM account, masquerading as the former owner.

Credit Cards Abused
Hackers initially discovered that they could set uni_next_atom_typed to two blank spaces and create indented screen names on new AOL accounts. When it developed that the same technique could be used to take over AIM accounts, something of a screen name gold rush ensued among a mostly juvenile group of hackers eagerly snatching up the most attractive names, according to Lamo.

Because AOL's sign-up process requires a valid credit card number, many of these hackers have taken up credit card fraud to feed their screen name habit. "People trade desirable screen names for [stolen] credit card numbers, which are then used to make more desirable screen names," Lamo says. "It's a vicious cycle."

Once an AOL account exists under an AIM screen name it cannot be hijacked again--although a separate loophole allows hackers to create AOL accounts that automatically disappear from the system shortly after creation.

Users of AOL's subscription service are not vulnerable. Because of the nature of the bug, AIM users with screen names that, minus the first two letters, are already taken are also immune: i.e., if Hn Doe has an AIM account, then John Doe's is safe.

AIM is the most popular of the Internet instant messaging services, with 21.5 million users in the U.S. alone, according to Internet traffic measuring company Media Metrix. In July, AOL reported that AIM had surpassed 61 million registered users worldwide, 20 million of whom were active.

AOL did not return repeated phone calls on the subject.

    Digg this story   Add to del.icio.us  
Comments Mode:
Liberation not Destruction 2000-11-30
Genetix (3 replies)
Liberation not Destruction 2000-11-30
Re: Liberation not Destruction 2007-01-08
Ignorance. 2000-12-03
Spooky (1 replies)
Re: Ignorance. 2005-08-10
Anonymous (1 replies)
Re: Re: Ignorance. 2005-08-30
Anonymous (1 replies)
Blah 2005-10-18


Privacy Statement
Copyright 2010, SecurityFocus