[<prev] [next>] [day] [month] [year] [list]
Message-ID: <6a9a093e04091420456b89a94f@mail.gmail.com>
Date: Tue, 14 Sep 2004 23:45:23 -0400
From: Link Linkovich <linkovich@...il.com>
To: bugtraq@...urityfocus.com
Subject: AOL Groups/AIM Information Disclosure
AOL Groups/AIM Information Disclosure
Link Linkovich
Sept 18, 2004
---BACKGROUND---
*AIM/EMAIL
When a user creates an AOL Instant Messanger(AIM) account they are
asked to provide an email address for the purpose of recovering lost
passwords. This email address is not published anywhere as a link to
the screenname. AOL goes to great lengths to protect this email
account. If a user desires to change their email address a
confirmation is sent to BOTH the new address and the old address. The
user must then wait 72 hours before the email change will take place.
*AOL Groups
AOL offers to AOL and AIM members a service called AOL Groups. Users
may join public groups or may be invited to private groups. Any AOL
member may create a group, AIM members may only join an exisiting
group. When an AOL member creates a group, he/she is given the option
to send out invites to AOL or AIM screennames. He/she simply only
needs to know the screenname. An email invitation is then sent to the
registered email of the user asking if he/she would like to join this
group.
---PROBLEM DESCRIPTION---
The AOL group invite system is flawed in two ways.
1) There is no limit on how many invites you may send one person. A
malicious user can flood a user with requests in minutes, creating a
"mailbomb" from groups.aol.com. One such attack wrecked havoc on a
Microsoft Exchange Server.
2) Once a user's mailbox is either full or the email server can no
longer accept requests AOL returns the malicious attacker with a
message to the effect of: "myemail@...ob.com can not be reached"
---RAMIFICATIONS----
Aside from the mailbomb and denial of service attack against a mail
server this opens a huge information disclosure. The attacker now has
an email account and the knowledge of a screenname to launch further
attacks either via an email exploit or social engineering.
---VENDOR STATUS---
Detailed Information submitted to them several times since the inital
"mailbomb". No responses.
I'm sorry if I have not accurately described windows/messages
throughout this text but I was on the receiving end of an attack.
After three days of research I was finally able to piece together what
took place.
/Link/
Powered by blists - more mailing lists