Date:          October 22, 2004
Vendor:      America Online Inc.
Issue:          AOL Journals BlogID incrementing discloses account names and
e-mail addresses
URL:          http://journals.aol.com / AOL Keyword: Journals
Advisory:    http://www.lovebug.org/aoljournals_advisory.txt


Service Overview:

AOL Journals is basically America Online's version of a blog (weblog) for
AOL members/subscribers (excludes AIM users).  It allows them to post
messages by logging into the service or by sending an instant message to the
screen name "AOL Journals"

Issue:

The issue lies within the Atom/RSS feed option for users.  There is a link
on the journals that would allow users to get an Atom or RSS feed for that
weblog.  The webpage that pops up containing these links to the feeds
displays the full path to the user's feed (which includes their username,
which is subsequently their e-mail address).  The link to the feeds,
however, does not use the username in conjunction with the blog name.
Instead it uses a BlogID number which appears to just be incremented as
blogs are created.

As a result an attacker could increment through the numbers and obtain
thousands of user e-mail addresses.  This flaw is especially noteworthy due
to the easy and speed at which an attacker could obtain the usernames.
Also, the username and blog names could be easily traversed through to gain
information on the user that could be used in conjunction with targeted spam
among other things.

Here is an example of the URL:

http://journals.aol.com/_do/rss_popup?blogID=#

Obviously replace # with a number.  The current/newest ID# is in excess of
700000.  Some numbers will return an error (they no longer exist) or they
will be for the same username.  If a user chooses to create a new blog it
will start a new BlogID.

Solutions:

Don't tie the BlogID feed into the Atom/RSS feeds.

Vendor Response:

As mentioned in previous advisories related to America Online, there has
been no report to the vendor.  All previous attempts to report bugs in
America Online have gone ignored.  They also do not provide a point of
contact for reporting bugs.  However, all contact with others employees at
America Online in related departments has yielded negative or no response.

Once again, if America Online would like to provide a point of contact for
bugs, I would gladly contact them prior to disclosure.  E-mail:
steven@lovebug.org | Yes, there are currently more 'known' bugs.

Credits:

welcome.wav & gotmail.wav

Go Hokies! :D


-Steven
steven@lovebug.org