lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <1044326728.1268.17.camel@localhost.localdomain>
From: simon at snosoft.com (ATD)
Subject: AOL refuses to help AIM users

Juraj,
	I would love to make it public however I am not sure as to what the
actual vulnerability is. What I do know is that it allowed a the
attacker to "take over" the users account.  In the process the attacker
was able to change the users password. The users client was GAIM, I am
not sure of the version as of yet. The perplexing/concerning part of
this is they did not require the user to be on-line for the account
compromise.  They can apparently change the password on the AIM database
whenever they want, which makes me wonder if it has been compromised.
Like I said, AOL was not interested in discussing this with me, even
after I identified myself. Their clam was because I was not a paying
customer. 

	Also take note, my last message and this one are both being carbon
copied to both toc@....com and abuse@....com, but to no avail.



On Mon, 2003-02-03 at 21:39, Juraj Bednar wrote:
> Hello,
> 
> 
>   make the vulnerability public, static why you did not communicate with
>   vendor. It's their problem. Would be pretty bad press for them.
> 
> 
>    J.
> 
> > All,
> > 	Has anyone on this list ever tried to report a security issue to AOL? I
> > just tried to do that and was literally told, "Corporate policy states
> > that we do not help our free users.". I said, "I suppose thats because
> > you don't make any money off of the free users".  The man on the other
> > end of the line being their security expert then stated, "thats right".
> > Is this how they treat their prospective clients, end users, and free
> > users? What can we do about this?
> > 
> > -- 
> > ATD <simon@...soft.com>
> > Secure Network Operations, Inc.
-- 
ATD <simon@...soft.com>
Secure Network Operations, Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030203/3cb491a3/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ