[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

AOL Groups/AIM Information Disclosure

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: AOL Groups/AIM Information Disclosure
From: Link Linkovich <linkovich@xxxxxxxxx>
Date: Tue, 14 Sep 2004 23:45:23 -0400

AOL Groups/AIM Information Disclosure
Link Linkovich
Sept 18, 2004


---BACKGROUND---
*AIM/EMAIL
When a user creates an AOL Instant Messanger(AIM) account they are
asked to provide an email address for the purpose of recovering lost
passwords. This email address is not published anywhere as a link to
the screenname. AOL goes to great lengths to protect this email
account. If a user desires to change their email address a
confirmation is sent to BOTH the new address and the old address. The
user must then wait 72 hours before the email change will take place.

*AOL Groups
AOL offers to AOL and AIM members a service called AOL Groups. Users
may join public groups or may be invited to private groups. Any AOL
member may create a group, AIM members may only join an exisiting
group. When an AOL member creates a group, he/she is given the option
to send out invites to AOL or AIM screennames. He/she simply only
needs to know the screenname. An email invitation is then sent to the
registered email of the user asking if he/she would like to join this
group.

---PROBLEM DESCRIPTION---
The AOL group invite system is flawed in two ways.

1) There is no limit on how many invites you may send one person. A
malicious user can flood a user with requests in minutes, creating a
"mailbomb" from groups.aol.com. One such attack wrecked havoc on a
Microsoft Exchange Server.

2) Once a user's mailbox is either full or the email server can no
longer accept requests AOL returns the malicious attacker with a
message to the effect of: "myemail@xxxxxxxxx can not be reached"

---RAMIFICATIONS----
Aside from the mailbomb and denial of service attack against a mail
server this opens a huge information disclosure. The attacker now has
an email account and the knowledge of a screenname to launch further
attacks either via an email exploit or social engineering.

---VENDOR STATUS---
Detailed Information submitted to them several times since the inital
"mailbomb". No responses.


I'm sorry if I have not accurately described windows/messages
throughout this text but I was on the receiving end of an attack.
After three days of research I was finally able to piece together what
took place.

/Link/

Prev by Date: wp-04-0001: Multiple Browser Cookie Injection Vulnerabilities
Next by Date: Tool announcement: fakebust
Previous by thread: Re:[2] Corsaire Security Advisory - Multiple vendor MIME RFC2047 encoding issue
Next by thread: Tool announcement: fakebust
Index(es):
- Date
- Thread