This is a multi-part message in MIME format.

------=_NextPart_000_000F_01C4EFEE.E02543D0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Vendor:   America Online Inc.
Date:     January 1, 2005
Issue:    AOL's Online Password Reset feature does not fully validate =
user information
URL:      http://www.aol.com=20
Advisory: http://www.lovebug.org/aolpwreset_advisory.txt


Service Overview:

This report is in reference to the Online Password Reset that exists for =
the AOL client for paying user accounts and not AOL Instant Messenger.  =
I think chances are if you're reading this, you should be familiar that =
AOL is still the world's largest Internet Service Provider.

Issue:

AOL has an Online Password Reset feature that enables users that have =
forgotten their password to reset it online.  This features comes by way =
of a window that may popup if the user has supplied an invalid password =
two times in a row. (Note: This does not apply when signing on as Guest =
or at New User).  The first screen that pops up is a word verification =
screen.  The user must simply write the letters in a box that are =
displayed from an image.  Upon doing this the user is brought to the =
next and most important screen in the process.  This is the Member =
Verification screen where they must enter the First Name, Last Name, and =
the Daytime and Evening Phone Number along with the Last 4 Digits of =
their billing method account number or the answer to an account security =
question (if one is set).  If an account security question is in place, =
it will only ask the user for the First Name and Last Name, and the =
answer to the account security question.  It will not ask for the phone =
numbers or the last four digits of the billing method.

While these may not be the most secure items to ask for to begin with, =
there is an issue with user input validation.  To successfully reset the =
password for an account, the user does NOT need to supply the full first =
or last name.  In fact, only the first letter of both is required.  If =
the name on my account were Homer Simpson, all I would need to do is =
type in H and S for the first and last name.  The next issue is that it =
does not appear to check both daytime and evening phone numbers.  In my =
limited testing, I have found that you can simply enter one correct =
phone number in either field and the second phone number does not matter =
(in fact you can just put 555-555-5555).  However, in their credit it =
appears that the answer to the security question must be complete and =
exactly as originally typed. Also, if the last four digits of the =
billing method comes up, the exact and entire four must be entered =
correctly for validation.

This results in a problem with only having to supply a limited bit of =
information to reset a password.  On an even more extreme note, this =
could also be used to discover information about an account.  The user =
is given 4 tries to get the information correct to reset the password.  =
If the user enters some fields correctly but others incorrectly, the =
Online Reset window will return the correct fields with the previously =
entered information and leave all invalid fields blank.  This can be =
used to verify a name, phone number, and billing digits on the account.

Solutions:=20

At the login screen intentionally typed your password incorrectly two =
times.  When the password reset window pops up, enter the word =
verification and then go to Member Verification screen.  At this point =
just enter bogus information four times until it boots you off.  This =
will disable the online reset feature for the screen name since the =
information was entered incorrectly.  The feature will probably be =
turned on again at some point after a given period of time, but I =
believe it is a rather long period of that's the case.  Also, don't use =
a security question with an easy answer that people might know or is =
flat out guessable (i.e. What is my favorite color?).


Vendor Response:

After my previous bug reports related to America Online, I noted that I =
had knowledge of more (and I still do) and would be more than willing to =
share this information with the vendor if they cared to hear it.  I =
received a response from AOL not too long after that, but it seems that =
maintaining the communication is rather difficult for some reason.  The =
vendor has not been notified of this problem, atleast not until reading =
this.

My e-mail address hasn't change and works fine: <steven@lovebug.org> | =
If anyone at AOL is interested in knowing bugs prior to disclosure, feel =
free to drop me a line.  There's a few more you might like to know about =
:-)

Credits:

Myself and the year 2005.

Go Hokies! Sugar Bowl Time! :D


-Steven
steven@lovebug.org


------=_NextPart_000_000F_01C4EFEE.E02543D0
Content-Type: text/html;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2900.2523" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>Vendor:&nbsp;&nbsp; America Online=20
Inc.<BR>Date:&nbsp;&nbsp;&nbsp;&nbsp; January 1,=20
2005<BR>Issue:&nbsp;&nbsp;&nbsp; AOL's Online Password Reset feature =
does not=20
fully validate user information<BR>URL:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <A =

href=3D"http://www.aol.com">http://www.aol.com</A> <BR>Advisory: <A=20
href=3D"http://www.lovebug.org/aolpwreset_advisory.txt">http://www.lovebu=
g.org/aolpwreset_advisory.txt</A></FONT></DIV>
<DIV>&nbsp;</DIV><FONT face=3DArial size=3D2>
<DIV><BR>Service Overview:</DIV>
<DIV>&nbsp;</DIV>
<DIV>This report is in reference to the Online Password Reset that =
exists for=20
the AOL client for paying user accounts and not AOL Instant =
Messenger.&nbsp; I=20
think chances are if you're reading this, you should be familiar that =
AOL is=20
still the world's largest Internet Service Provider.</DIV>
<DIV>&nbsp;</DIV>
<DIV>Issue:</DIV>
<DIV>&nbsp;</DIV>
<DIV>AOL has an Online Password Reset feature that enables users that =
have=20
forgotten their password to reset it online.&nbsp; This features comes =
by way of=20
a window that may popup if the user has supplied an invalid password two =
times=20
in a row. (Note: This does not apply when signing on as Guest or at New=20
User).&nbsp; The first screen that pops up is a word verification =
screen.&nbsp;=20
The user must simply write the letters in a box that are displayed from =
an=20
image.&nbsp; Upon doing this the user is brought to the next and most =
important=20
screen in the process.&nbsp; This is the Member Verification screen =
where they=20
must enter the First Name, Last Name, and the Daytime and Evening Phone =
Number=20
along with the Last 4 Digits of their billing method account number or =
the=20
answer to an account security question (if one is set).&nbsp; If an =
account=20
security question is in place, it will only ask the user for the First =
Name and=20
Last Name, and the answer to the account security question.&nbsp; It =
will not=20
ask for the phone numbers or the last four digits of the billing =
method.</DIV>
<DIV>&nbsp;</DIV>
<DIV>While these may not be the most secure items to ask for to begin =
with,=20
there is an issue with user input validation.&nbsp; To successfully =
reset the=20
password for an account, the user does NOT need to supply the full first =
or last=20
name.&nbsp; In fact, only the first letter of both is required.&nbsp; If =
the=20
name on my account were Homer Simpson, all I would need to do is type in =
H and S=20
for the first and last name.&nbsp; The next issue is that it does not =
appear to=20
check both daytime and evening phone numbers.&nbsp; In my limited =
testing, I=20
have found that you can simply enter one correct phone number in either =
field=20
and the second phone number does not matter (in fact you can just put=20
555-555-5555).&nbsp; However, in their credit it appears that the answer =
to the=20
security question must be complete and exactly as originally typed. =
Also, if the=20
last four digits of the billing method comes up, the exact and entire =
four must=20
be entered correctly for validation.</DIV>
<DIV>&nbsp;</DIV>
<DIV>This results in a problem with only having to supply a limited bit =
of=20
information to reset a password.&nbsp; On an even more extreme note, =
this could=20
also be used to discover information about an account.&nbsp; The user is =
given 4=20
tries to get the information correct to reset the password.&nbsp; If the =
user=20
enters some fields correctly but others incorrectly, the Online Reset =
window=20
will return the correct fields with the previously entered information =
and leave=20
all invalid fields blank.&nbsp; This can be used to verify a name, phone =
number,=20
and billing digits on the account.</DIV>
<DIV>&nbsp;</DIV>
<DIV>Solutions: </DIV>
<DIV>&nbsp;</DIV>
<DIV>At the login screen intentionally typed your password incorrectly =
two=20
times.&nbsp; When the password reset window pops up, enter the word =
verification=20
and then go to Member Verification screen.&nbsp; At this point just =
enter bogus=20
information four times until it boots you off.&nbsp; This will disable =
the=20
online reset feature for the screen name since the information was =
entered=20
incorrectly.&nbsp; The feature will probably be turned on again at some =
point=20
after a given period of time, but I believe it is a rather long period =
of that's=20
the case.&nbsp; Also, don't use a security question with an easy answer =
that=20
people might know or is flat out guessable (i.e. What is my favorite=20
color?).</DIV>
<DIV>&nbsp;</DIV>
<DIV><BR>Vendor Response:</DIV>
<DIV>&nbsp;</DIV>
<DIV>After my previous bug reports related to America Online, I noted =
that I had=20
knowledge of more (and I still do) and would be more than willing to =
share this=20
information with the vendor if they cared to hear it.&nbsp; I received a =

response from AOL not too long after that, but it seems that maintaining =
the=20
communication is rather difficult for some reason.&nbsp; The vendor has =
not been=20
notified of this problem, atleast not until reading this.</DIV>
<DIV>&nbsp;</DIV>
<DIV>My e-mail address hasn't change and works fine: <<A=20
href=3D"mailto:steven@lovebug.org">steven@lovebug.org</A>> | If =
anyone at AOL=20
is interested in knowing bugs prior to disclosure, feel free to drop me =
a=20
line.&nbsp; There's a few more you might like to know about :-)</DIV>
<DIV>&nbsp;</DIV>
<DIV>Credits:</DIV>
<DIV>&nbsp;</DIV>
<DIV>Myself and the year 2005.</DIV>
<DIV>&nbsp;</DIV>
<DIV>Go Hokies! Sugar Bowl Time! :D</DIV>
<DIV>&nbsp;</DIV>
<DIV><BR>-Steven<BR><A=20
href=3D"mailto:steven@lovebug.org">steven@lovebug.org</A></DIV>
<DIV>&nbsp;</DIV>
<DIV></FONT>&nbsp;</DIV></BODY></HTML>

------=_NextPart_000_000F_01C4EFEE.E02543D0--