AOL Instant Messenger contains a caching vulnerability where once you have logged onto AIM with a screenname, you can permanently login with that screenname.
082713c2e36c75c665e6bb56ba99874d4c5196b712c54fcc9aafe49eff7eae7f
% Advisory % Advisory % Advisory % Advisory % Advisory % Advisory %
Author: f3d
Program: AOL Instant Messanger Servers/Clients
Fault: Caching vulnerability
Os: Win/BSD/*Aim compatible
% Advisory % Advisory % Advisory % Advisory % Advisory % Advisory %
Problem. There is a vulnerability in AOL Instant Messanger Client and or
Servers in which case they depends heavily upon caching, to heavily. The
problem with the servers and clients authentication method is, once you
have logged onto AIM with a screenname, you can permanentley login with
that screenname.
Explanation. I guess AOL went along with the "Once good always good" theory,
because even if an AOL member changes his/her password, if the correct
cache is on the computer for the previous password, you are still able to
login to AIM. This obviously shows that authentication is on a one time
basis, and thereafter, it is based upon some sort of algorithm, to speed
up login time and conserve system resources. Although this bug seems to
be very blunt, there is one hinderance, Instant Messages are disabled followed
by this error, and cannot your privacy settings cannot be reset:
"AOL Instant Messanger(SM) cannot send this message because you have blocked
the recipient. You can change this setting on the Privacy tab of the Preferences
dialog."
Other features, such as Chat, are not. This bug was found in the latest
beta release of AIM, and is believed to have effected all previous versions.
Anyone else noticed this? Or taken advantage of it in other ways?
Email: f3dster@hushmail.com
% Advisory % Advisory % Advisory % Advisory % Advisory % Advisory %