| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: mattmurphy at kc.rr.com (Matthew Murphy)
Subject: AOL Instant Messenger - Away Setting and Snoopers
Yet another reason never to use AOL...
AOL Instant Messenger is used by many millions of people to send and receive
messages in real-time. It features several "states" for a user, such as
away, idle, etc. that change the behavior of the client when set. AOL
employs a feature "Hide windows while away" that, as its name implies, hides
all windows in AIM while the user is away. However, even with windows
hidden, it is possible for snoopers to view conversation.
If a user sends you a message while you are away, and regardless of "hide
windows" being enabled, the entire conversation between the two parties
becomes readable to anyone with access to the terminal just by clicking the
desired screen name.
Example:
1) 2 users chat...
2) user A leaves, setting away status
3) user B checks with a simple "are you there?" type message
4) upon receiving the away, no further messages are exchanged, as user A has
left
5) someone with local access checks the away queue for info
6) checking each screen name, he/she saves each transcript
7) user A returns, and responds to the message
8) chat continues...
Workaround: Don't use away state, or close all conversation windows
yourself; never use the hide window feature, that is just lazy. :-)
"The reason the mainstream is thought
of as a stream is because it is
so shallow."
- Author Unknown
Powered by blists - more mailing lists