AOL's Online Password Reset feature does not fully validate user information.
6360be8f77cfa54486b56369d74757273b26fcc9ba88fe0e49590994497345d4
This is a multi-part message in MIME format.
------=_NextPart_000_000F_01C4EFEE.E02543D0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Vendor: America Online Inc.
Date: January 1, 2005
Issue: AOL's Online Password Reset feature does not fully validate =
user information
URL: http://www.aol.com=20
Advisory: http://www.lovebug.org/aolpwreset_advisory.txt
Service Overview:
This report is in reference to the Online Password Reset that exists for =
the AOL client for paying user accounts and not AOL Instant Messenger. =
I think chances are if you're reading this, you should be familiar that =
AOL is still the world's largest Internet Service Provider.
Issue:
AOL has an Online Password Reset feature that enables users that have =
forgotten their password to reset it online. This features comes by way =
of a window that may popup if the user has supplied an invalid password =
two times in a row. (Note: This does not apply when signing on as Guest =
or at New User). The first screen that pops up is a word verification =
screen. The user must simply write the letters in a box that are =
displayed from an image. Upon doing this the user is brought to the =
next and most important screen in the process. This is the Member =
Verification screen where they must enter the First Name, Last Name, and =
the Daytime and Evening Phone Number along with the Last 4 Digits of =
their billing method account number or the answer to an account security =
question (if one is set). If an account security question is in place, =
it will only ask the user for the First Name and Last Name, and the =
answer to the account security question. It will not ask for the phone =
numbers or the last four digits of the billing method.
While these may not be the most secure items to ask for to begin with, =
there is an issue with user input validation. To successfully reset the =
password for an account, the user does NOT need to supply the full first =
or last name. In fact, only the first letter of both is required. If =
the name on my account were Homer Simpson, all I would need to do is =
type in H and S for the first and last name. The next issue is that it =
does not appear to check both daytime and evening phone numbers. In my =
limited testing, I have found that you can simply enter one correct =
phone number in either field and the second phone number does not matter =
(in fact you can just put 555-555-5555). However, in their credit it =
appears that the answer to the security question must be complete and =
exactly as originally typed. Also, if the last four digits of the =
billing method comes up, the exact and entire four must be entered =
correctly for validation.
This results in a problem with only having to supply a limited bit of =
information to reset a password. On an even more extreme note, this =
could also be used to discover information about an account. The user =
is given 4 tries to get the information correct to reset the password. =
If the user enters some fields correctly but others incorrectly, the =
Online Reset window will return the correct fields with the previously =
entered information and leave all invalid fields blank. This can be =
used to verify a name, phone number, and billing digits on the account.
Solutions:=20
At the login screen intentionally typed your password incorrectly two =
times. When the password reset window pops up, enter the word =
verification and then go to Member Verification screen. At this point =
just enter bogus information four times until it boots you off. This =
will disable the online reset feature for the screen name since the =
information was entered incorrectly. The feature will probably be =
turned on again at some point after a given period of time, but I =
believe it is a rather long period of that's the case. Also, don't use =
a security question with an easy answer that people might know or is =
flat out guessable (i.e. What is my favorite color?).
Vendor Response:
After my previous bug reports related to America Online, I noted that I =
had knowledge of more (and I still do) and would be more than willing to =
share this information with the vendor if they cared to hear it. I =
received a response from AOL not too long after that, but it seems that =
maintaining the communication is rather difficult for some reason. The =
vendor has not been notified of this problem, atleast not until reading =
this.
My e-mail address hasn't change and works fine: <steven@lovebug.org> | =
If anyone at AOL is interested in knowing bugs prior to disclosure, feel =
free to drop me a line. There's a few more you might like to know about =
:-)
Credits:
Myself and the year 2005.
Go Hokies! Sugar Bowl Time! :D
-Steven
steven@lovebug.org
------=_NextPart_000_000F_01C4EFEE.E02543D0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2900.2523" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>Vendor: America Online=20
Inc.<BR>Date: January 1,=20
2005<BR>Issue: AOL's Online Password Reset feature =
does not=20
fully validate user information<BR>URL: <A =
href=3D"http://www.aol.com">http://www.aol.com</A> <BR>Advisory: <A=20
href=3D"http://www.lovebug.org/aolpwreset_advisory.txt">http://www.lovebu=
g.org/aolpwreset_advisory.txt</A></FONT></DIV>
<DIV> </DIV><FONT face=3DArial size=3D2>
<DIV><BR>Service Overview:</DIV>
<DIV> </DIV>
<DIV>This report is in reference to the Online Password Reset that =
exists for=20
the AOL client for paying user accounts and not AOL Instant =
Messenger. I=20
think chances are if you're reading this, you should be familiar that =
AOL is=20
still the world's largest Internet Service Provider.</DIV>
<DIV> </DIV>
<DIV>Issue:</DIV>
<DIV> </DIV>
<DIV>AOL has an Online Password Reset feature that enables users that =
have=20
forgotten their password to reset it online. This features comes =
by way of=20
a window that may popup if the user has supplied an invalid password two =
times=20
in a row. (Note: This does not apply when signing on as Guest or at New=20
User). The first screen that pops up is a word verification =
screen. =20
The user must simply write the letters in a box that are displayed from =
an=20
image. Upon doing this the user is brought to the next and most =
important=20
screen in the process. This is the Member Verification screen =
where they=20
must enter the First Name, Last Name, and the Daytime and Evening Phone =
Number=20
along with the Last 4 Digits of their billing method account number or =
the=20
answer to an account security question (if one is set). If an =
account=20
security question is in place, it will only ask the user for the First =
Name and=20
Last Name, and the answer to the account security question. It =
will not=20
ask for the phone numbers or the last four digits of the billing =
method.</DIV>
<DIV> </DIV>
<DIV>While these may not be the most secure items to ask for to begin =
with,=20
there is an issue with user input validation. To successfully =
reset the=20
password for an account, the user does NOT need to supply the full first =
or last=20
name. In fact, only the first letter of both is required. If =
the=20
name on my account were Homer Simpson, all I would need to do is type in =
H and S=20
for the first and last name. The next issue is that it does not =
appear to=20
check both daytime and evening phone numbers. In my limited =
testing, I=20
have found that you can simply enter one correct phone number in either =
field=20
and the second phone number does not matter (in fact you can just put=20
555-555-5555). However, in their credit it appears that the answer =
to the=20
security question must be complete and exactly as originally typed. =
Also, if the=20
last four digits of the billing method comes up, the exact and entire =
four must=20
be entered correctly for validation.</DIV>
<DIV> </DIV>
<DIV>This results in a problem with only having to supply a limited bit =
of=20
information to reset a password. On an even more extreme note, =
this could=20
also be used to discover information about an account. The user is =
given 4=20
tries to get the information correct to reset the password. If the =
user=20
enters some fields correctly but others incorrectly, the Online Reset =
window=20
will return the correct fields with the previously entered information =
and leave=20
all invalid fields blank. This can be used to verify a name, phone =
number,=20
and billing digits on the account.</DIV>
<DIV> </DIV>
<DIV>Solutions: </DIV>
<DIV> </DIV>
<DIV>At the login screen intentionally typed your password incorrectly =
two=20
times. When the password reset window pops up, enter the word =
verification=20
and then go to Member Verification screen. At this point just =
enter bogus=20
information four times until it boots you off. This will disable =
the=20
online reset feature for the screen name since the information was =
entered=20
incorrectly. The feature will probably be turned on again at some =
point=20
after a given period of time, but I believe it is a rather long period =
of that's=20
the case. Also, don't use a security question with an easy answer =
that=20
people might know or is flat out guessable (i.e. What is my favorite=20
color?).</DIV>
<DIV> </DIV>
<DIV><BR>Vendor Response:</DIV>
<DIV> </DIV>
<DIV>After my previous bug reports related to America Online, I noted =
that I had=20
knowledge of more (and I still do) and would be more than willing to =
share this=20
information with the vendor if they cared to hear it. I received a =
response from AOL not too long after that, but it seems that maintaining =
the=20
communication is rather difficult for some reason. The vendor has =
not been=20
notified of this problem, atleast not until reading this.</DIV>
<DIV> </DIV>
<DIV>My e-mail address hasn't change and works fine: <<A=20
href=3D"mailto:steven@lovebug.org">steven@lovebug.org</A>> | If =
anyone at AOL=20
is interested in knowing bugs prior to disclosure, feel free to drop me =
a=20
line. There's a few more you might like to know about :-)</DIV>
<DIV> </DIV>
<DIV>Credits:</DIV>
<DIV> </DIV>
<DIV>Myself and the year 2005.</DIV>
<DIV> </DIV>
<DIV>Go Hokies! Sugar Bowl Time! :D</DIV>
<DIV> </DIV>
<DIV><BR>-Steven<BR><A=20
href=3D"mailto:steven@lovebug.org">steven@lovebug.org</A></DIV>
<DIV> </DIV>
<DIV></FONT> </DIV></BODY></HTML>
------=_NextPart_000_000F_01C4EFEE.E02543D0--