lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <f460972b59245b80448dbac27b4322e7@>
From: steven at lovebug.org (steven@...ebug.org)
Subject: America Online Groups@AOL Feature - Multiple Issues

Date:   September 24, 2004
Vendor: America Online Inc.
Issue:  E-mail address disclosure and possible AIM account hijacking.
URL:    http://groups.aol.com / AOL Keyword: Groups

Notes: 

The following vulenerability in AOL's groups@aol feature can result in the
disclosure of an

AOL Instant Messenger user's e-mail address and lead to possible account
hijacking.  This exploit

has existed for quite some time now and is being actively exploited in some
capacities.


Service Overview:

Users of America Online (AOL) can great what is known as a group by logging
into 

http://groups.aol.com or going to AOL Keyword: Groups.  These groups let
AOL users create an 

online community where people can write each other messages, meet and find
other people, create

photo display areas, manage an events calander, and do many other things. 
Anyone who uses

an AOL related product with a screen name has the ability to join these
groups.  E-mail only

users are also able to sign up but only at a limited capacity.  Users are
able to invite other

members to the groups with an invitation feature that is available once
logged in.  With this

invitation feature, the user can invite more members by addressing
invitations to either an e-mail

address or an AOL related screen name.

Exploitation:

This group invitiation feature can lead to AOL Instante Messenger (AIM)
account e-mail address

disclosure and account hijacking.  AIM users are required to enter an
e-mail address

(whether real or not) during signup.  This e-mail address is where lost
passwords will be sent if

the user forgets their password and goes to:
http://www.aim.com/help_faq/forgot_password/password.adp?.  This e-mail
address is also where

group invitations arrive when users of an AOL Group request that a screen
name join their group.

If a user sends a group invitation to a screen name with an invalid e-mail
address (i.e. the user

entered a fake one when signing up or no longer has access to it) then an
error message will be

generated by the MAILER-DAEMON at that e-mail host address.  This error
message will then be sent

back to the e-mail address of the user who sent the invitation.  The
message will disclose the

e-mail address that is no longer in use that is associated with the invited
screen name.  At this

point an attacker has multiple means to attempt to gain access to this
e-mail address.  If the

e-mail address was through a free e-mail service such as Hotmail or Yahoo,
the attack can simply

go to the website and recreate the user name.  If the e-mail address is
through an ISP, they can

simply signup for the username or find someone to create an alias for them.
 Finally, the user can

also e-mail a web admin and engineer them into created a temporary e-mail
account with this name.

Then all the user has to do is go to the above mentioned password request
page and request the

password for that screen name.

As a result the attacker now has the password to the account and can take
full control.  They can

change the password, sign on the screen name, and update the registered
e-mail address to one of

their liking.   At this point there is absolutely nothing the victim can
do.  America Online does

not support home users with AIM in any capacity.

AOL Groups can also result in e-mail address disclosure via another method.
 There does not appear

to be any limit to the amount of group invitations that can be sent to one
screen name.  A user

can create a script to send thousands of group inivitations in a matter of
minutes.  If all of

these invitations are directed towards one screen name, there is a good
chance that it will

completely fill the inbox of a user with a message quota.  As a result an
error message will

bounce back to the attacker that notifying him that the target's inbox is
full.  At the same time

the message will also include the target's e-mail address.  The attacker
now has the ability to

possibly use information from this e-mail address to attempt to obtain
access to it.  Possible

options include: brute force password cracking and sending an e-mail trojans.

Solutions: 

There are a few possible solutions to some of these problems at this time. 
The first is to sign

on your AIM screen name and make sure you e-mail address is valid,
up-to-date, and that you have

access to it.  The only other option to stop the e-mail attack is to have
your account on a server

with no quota or that will not respond will a mailbox full message that
discloses your address.


Vendor Response:

Numerous attempts to report this bug to AOL and get a fix have been made. 
These reports like many

others in the past have simply gone ignored.  This vulnerability report
will hopefully lead to a

heads up to anyone who might come under attack and will perhaps lead to a
fix. 


Credits:

I would like to thank all of the people who continually spam me with these
inivitations for

motivating me to put all this information into a report. Also, go Virginia
Tech!



-Steven
steven@...ebug.org


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ