AOL/AIM vulnerabilty

[Paul Wilders]

Quote:

Summary

It is possible to retrieve the password of AOL Instant Messenger screen names through the http://free.aol.com, http://www.aol.com, and http://www.aim.com websites. This then leading to possible gain of other accounts such as FTP, e-mail, and so on.


Details

Password retrieval:
AOL Instant Messenger screen names that are registered to the same @aol.com address, but those that no longer exist in AOL's system (Usually 6 months after cancellation/termination of account.) Example: We have an AOL Instant Messenger screen name "hi mom" that is registered under the e-mail hi mom@aol.com - and since the hi mom@aol.com account is no longer in AOL's system, it is vulnerable.

Takeover, without current password:
It is possible to take over AOL Instant Messenger screen names that are not currently in AOL's system. Social Engineering is required:

- Visit http://xxxxx

- At the first page enter in any information you desire. (Remember this information if you plan on social engineering your way in later.) Now press continues.

- On the next page you will be asked for a xxxx name and password. Enter in an AOL Instant Messenger xxxxx name and password that you own, that is NOT in AOL's system - Check the check box that says "xxxxxxx" Now press continue.

- On the next page you will be asked for billing information and a new browser window will pop up. Click the "xxxx" button in the new browser window, it should close. Go back to the initial browser window and press the "Cancel" link on the bottom left hand corner.

- On the next page you will be brought to xxxx that talks about Joining AOL without a credit card. Now press continues.

The next 2 pages will be for verification - keep pressing "xxxxx" on the next xx pages until you get to the page that asks for another screen name and password.

If you've done this correctly you will be greeted with "Sorry, <thename> is taken" then asked to enter another screen name and password as stated before. This is where you enter the xxxx name that you would like to retrieve the password from. (If you enter a xxxx name that is on AOL already, you will get error saying that it is already taken.) Other errors might occur when trying certain screen names, simply press the back button, and try again.

So, say we enter "xxxxx" and for the password field you would enter any password (don't forget it, this will be used in the following steps) Press the continue button and if the name was vulnerable you will be taken to a new page and greeted with "Welcome to America Online! Congratulations xxxx" Now we have access to login to the http://www.aol.com AOLAnywhere service with the account that was just created.

- Now to retrieve the current password of xxxx, we visit http://www.aim.com and use the Lost Password feature found under Help. Enter in the xxxxxxxxx name of the password to be retrieved and press Submit.

- Visit http://www.aol.com to use AOLAnywhere and login to the account using the password you chose before. You should have an e-mail in there from AOL with the password to the screen name.

If you did not receive an e-mail from the Lost Password feature, this means that the AOL Instant Messenger screen name was not registered under the @aol.com address.

From here an attacker could change the password to the AOL Instant Messenger screen name and also try the same password against the victims other accounts.(FTP, SSH, etc)

Testing:

xxxxxx

Vendor response:

AOL was e-mailed multiple times before this advisory and has yet to receive a reply, so hopefully they are working on it. In the mean time, just make sure your AOL Instant Messenger screen name's email address is not registered to its old @aol.com address.

(note: xxx = deleted by Forum Admin)

source: securiteam.com

regards,

paul