Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Groups@AOL Group Invitation Flaw May Let Remote Users Determine User E-mail Addresses or Hijack AIM Accounts
|
|
SecurityTracker Alert ID: 1011414
|
|
SecurityTracker URL: http://securitytracker.com/id?1011414
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Sep 26 2004
|
Impact: Disclosure of user information, User access via network
|
Exploit Included: Yes
|
Description: Steven from lovebug.org reported a vulnerability in Groups@AOL. A remote authenticated user can determine AOL Instant Messenger (AIM) passwords or e-mail addresses in certain cases.
It is reported that there is a flaw in the group invitation feature. When a remote authenticated user sends an invitation to a target
AIM screenname, the system will send an invitation via e-mail to the e-mail address on record for the target screenname. If the
destination e-mail address is not valid, any error messages generated by the destination e-mail server will be returned to the remote
user.
If the AIM screenname is still in use and the associated, invalid e-mail address is available for registration from the
e-mail provider, then the remote user may be able to hijack the target user's screenname. The remote user can register for the
e-mail address and then use the AOL "forgot my password" feature to have the screenname password sent to the newly registered e-mail
address.
It is also reported that a remote user can send multiple invitations to a single screenname in an attempt to exceed
the message quota of the target screenname e-mail address. If that occurs, then the remote user can learn the e-mail address of
the target user via the error message returned by the target user's e-mail server.
The report indicates that this exploit is
being actively used.
The vendor has been notified without response.
The original advisory is available at:
http://lovebug.org/aolgroups_advisory.txt
|
Impact: A remote user may be able to hijack a target user's AIM account.
A remote user may be able to determine the e-mail address of a target AIM user.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: groups.aol.com/ (Links to External Site)
|
Cause: Access control error
|
Reported By: <steven@lovebug.org>
|
Message History:
None.
|
Source Message Contents
|
Date: Fri, 24 Sep 2004 13:05:26 -0400
From: <steven@lovebug.org>
Subject: America Online Groups@AOL Feature - Multiple Issues
|
Date: September 24, 2004
Vendor: America Online Inc.
Issue: E-mail address disclosure and possible AIM account hijacking.
URL: http://groups.aol.com / AOL Keyword: Groups
Notes:
The following vulenerability in AOL's groups@aol feature can result in the
disclosure of an AOL Instant Messenger user's e-mail address and lead to
possible account hijacking. This exploit has existed for quite some time
now and is being actively exploited in some capacities.
Service Overview:
Users of America Online (AOL) can great what is known as a group by logging
into http://groups.aol.com or going to AOL Keyword: Groups. These groups
let AOL users create an online community where people can write each other
messages, meet and find other people, create photo display areas, manage an
events calander, and do many other things. Anyone who uses an AOL related
product with a screen name has the ability to join these groups. E-mail
only users are also able to sign up but only at a limited capacity. Users
are able to invite other members to the groups with an invitation feature
that is available once logged in. With this invitation feature, the user
can invite more members by addressing invitations to either an e-mail
address or an AOL related screen name.
Exploitation:
This group invitiation feature can lead to AOL Instante Messenger (AIM)
account e-mail address disclosure and account hijacking. AIM users are
required to enter an e-mail address (whether real or not) during signup.
This e-mail address is where lost passwords will be sent if the user
forgets their password and goes to: http://www.aim.com/help_faq/forgot_password/password.adp?.
This e-mail address is
also where group invitations arrive when users of an AOL Group request that a screen
name join their group. If a user sends a group invitation to a screen name with an
invalid e-mail address (i.e. the user entered a fake one when signing up or no longer
has access to it) then an error message will be generated by the MAILER-DAEMON at
that e-mail host address. This error message will then be sent back to the e-mail
address of the user who sent the invitation. The message will disclose the e-mail
address that is no longer in use that is associated with the invited screen name. At
this point an attacker has multiple means to attempt to gain access to this e-mail
address. If the e-mail address was through a free e-mail service such as Hotmail or
Yahoo, the attack can simply go to the website and recreate the user name. If the
e-mail address is through an ISP, they
can simply signup for the username or find someone to create an alias for them.
Finally, the user can also e-mail a web admin and engineer them into created a
temporary e-mail account with this name. Then all the user has to do is go to the
above mentioned password request page and request the password for that screen name.
As a result the attacker now has the password to the account and can take
full control. They can change the password, sign on the screen name, and
update the registered e-mail address to one of their liking. At this
point there is absolutely nothing the victim can do. America Online does
not support home users with AIM in any capacity.
AOL Groups can also result in e-mail address disclosure via another method.
There does not appear to be any limit to the amount of group invitations
that can be sent to one screen name. A user can create a script to send
thousands of group inivitations in a matter of minutes. If all of these
invitations are directed towards one screen name, there is a good chance
that it will completely fill the inbox of a user with a message quota. As
a result an error message will bounce back to the attacker that notifying
him that the target's inbox is full. At the same time the message will
also include the target's e-mail address. The attacker now has the ability
to possibly use information from this e-mail address to attempt to obtain
access to it. Possible options include: brute force password cracking and
sending an e-mail trojans.
Solutions:
There are a few possible solutions to some of these problems at this time.
The first is to sign on your AIM screen name and make sure you e-mail
address is valid, up-to-date, and that you have access to it. The only
other option to stop the e-mail attack is to have your account on a server
with no quota or that will not respond will a mailbox full message that
discloses your address.
Vendor Response:
Numerous attempts to report this bug to AOL and get a fix have been made.
These reports like many others in the past have simply gone ignored. This
vulnerability report will hopefully lead to a heads up to anyone who might
come under attack and will perhaps lead to a fix.
Credits:
I would like to thank all of the people who continually spam me with these
inivitations for motivating me to put all this information into a report.
Also, go Virginia Tech!
-Steven
steven@lovebug.org
|
|
Go to the Top of This SecurityTracker Archive Page
|
