America Online is scrambling today to patch a hole that allows its Parental Control content filtering system to be subverted, enabling teens to access forbidden Web addresses simply by adding a dot.
AOL said it first became aware of the problem today after receiving a call from CNET News.com.
"We have recognized a small glitch affecting our mature teen filtering system," AOL spokesman Andrew Weinstein said. "We're in the process of fixing it."
The glitch could prove embarrassing for AOL. The largest Internet service provider, with more than 23 million subscribers, AOL touts its filtering control system as a safe way for parents to prevent their children from accessing violent or sexually explicit sites on the Net.
The filtering system allows parents to set up accounts for various age groups, such as "kids only" (12 and under), "young teens" (13-15) and "mature teens" (16-17). Each age group is unable to access specified Web sites based on content such as violence and sex.
For example, members designated as mature teens cannot access the Web site Sex.com. However, under the workaround, if a mature teen using AOL simply enters a "." at the end of "www.sex.com," the site becomes accessible. Curiously, the glitch does not allow similar access for the other two age groups.
The problem was discovered by Mike Sklut, a 14-year-old AOL member who says he has been exploiting the weakness for years. Sklut posted the chink in AOL's armor on his site.
"I was 11 at the time, so it's been three years," said Sklut, a ninth-grader at Northville High School in Northville, Mich. "My parents put parental controls on my screen names. I needed to get to AltaVista to do research, and AOL blocked it at the time. So I started playing around with the syntax of the URL and it worked perfectly."
Sklut explained that his parents placed him under the "mature teens" restrictions when he was eleven.
Analysts said the glitch struck AOL at a particularly vulnerable spot.
"AOL can't go around touting itself as a friend of the family unless they address this problem head on and quickly," said Youssef Squali, analyst for ING Barings.
"Clearly it is not something that AOL can be proud of, but you do need to think of the Internet as a work in progress. There will be glitches and problems as we go on," Squali added.
Security bugs involving extra dots in Web addresses are not uncommon. Previous vulnerabilities have plagued Microsoft's Web server in a glitch that exposed database passwords and other sensitive information. A combination of Sun Microsystems' Web software and Microsoft's operating system has also suffered similar problems.
The latest glitch follows other scrutiny of AOL's filters.
Last April, News.com reported that AOL's filters appeared to favor conservative-leaning sites over more liberal sites.
For example, if a parent set up a "kids only" AOL account, a child could easily view the site of the Republican National Committee, but the Democratic National Committee would be blocked.
In addition, the child could call up the conservative Constitution Party and Libertarian Party. But attempting to view Ralph Nader's Green Party or Ross Perot's Reform Party would result in a "not appropriate for children" message. This apparent bias seems to have been corrected.