SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Instant Messaging/IRC/Chat)  >   AOL Instant Messenger Vendors:   America Online, Inc.
AOL Instant Messenger (AIM) Chat Software May Disclose Buddy List Information to Local Users
SecurityTracker Alert ID:  1004042
SecurityTracker URL:  http://securitytracker.com/id/1004042
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 15 2002
Impact:   Disclosure of user information
Exploit Included:  Yes  

Description:   An information disclosure vulnerability was reported in the AOL Instant Messenger (AIM) software. A local user may be able to obtain another local user's buddy list.

It is reported that AIM may store buddy list information in a globally accessible directory on Windows NT, 2000, and XP.

It is reported that, on Windows 2000, in the folder named winnt/AIM95/"screenname" there is a file named 'userinfo.bag' that stores all the names on a user's buddy list. On Windows XP, the file is reportedly contained in winnt/system32/aim95.

Another user contradicted the report, indicating that the file was stored in the user's personal directory on Windows 2000, making the file inaccessible to anyone except the administrator and the user itself.
Impact:   A local user could obtain another local user's buddy list on a multi-user machine.
Solution:   No solution was available at the time of this entry.
Vendor URL:  aim.aol.com/ (Links to External Site)
Cause:   Access control error
Underlying OS:   Windows (NT), Windows (2000), Windows (XP)

Message History:   None.

 Source Message Contents
Date:  15 Apr 2002 15:30:23 -0000
Subject:  Ability to read buddy list of AIM users




Ive been able to do this on publicly accessible
 computers...such as university labs...You can see
 the buddy list of other people who have signed on to
 AIM on that computer. On win2k in the folder named
 winnt/AIM95/"screenname" there is a file called
 userinfo.bag which stores all the names on your
 buddy list...all you have to do is traverse to a different
 screenname directory and open up the file with any
 editor. In win XP the folder is in
 winnt/system32/aim95. This pretty much works on
 any OS although I havent tried linux and Mac yet.
 Although this may not be a serious threat, its pretty
 much a violation of privacy...and that is a right we all
 have correct?? corrrect..Its pretty easy for anyone
 being nosy to start harrasing people on your buddy
 list. I hope this isnt a repost. Contacting AOL also
pretty much all that needs to be done is check out the 
aim95 folder for a file called userinfo.bag


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC