| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: fyreguy at rivetgeek.com (Remington Winters) Subject: Re: AOL Instant Messenger - Away Setting and Snoopers I don't think the "hide window while away" feature was designed with security in mind. I believe its more for keeping the desktop clear. Someone with local access could also just as easily turn off away and look at the windows.... ----- Original Message ----- From: "Matthew Murphy" <mattmurphy@...rr.com> To: "BugTraq" <bugtraq@...urityfocus.com>; "Full Disclosure" <full-disclosure@...ts.netsys.com>; "SecurITeam News" <news@...uriteam.com>; "Vuln-Dev" <vuln-dev@...urityfocus.com> Sent: Sunday, August 04, 2002 6:56 PM Subject: AOL Instant Messenger - Away Setting and Snoopers > Yet another reason never to use AOL... > > AOL Instant Messenger is used by many millions of people to send and receive > messages in real-time. It features several "states" for a user, such as > away, idle, etc. that change the behavior of the client when set. AOL > employs a feature "Hide windows while away" that, as its name implies, hides > all windows in AIM while the user is away. However, even with windows > hidden, it is possible for snoopers to view conversation. > > If a user sends you a message while you are away, and regardless of "hide > windows" being enabled, the entire conversation between the two parties > becomes readable to anyone with access to the terminal just by clicking the > desired screen name. > > Example: > > 1) 2 users chat... > 2) user A leaves, setting away status > 3) user B checks with a simple "are you there?" type message > 4) upon receiving the away, no further messages are exchanged, as user A has > left > 5) someone with local access checks the away queue for info > 6) checking each screen name, he/she saves each transcript > 7) user A returns, and responds to the message > 8) chat continues... > > Workaround: Don't use away state, or close all conversation windows > yourself; never use the hide window feature, that is just lazy. :-) > > "The reason the mainstream is thought > of as a stream is because it is > so shallow." > - Author Unknown
Powered by blists - more mailing lists