A small band of hackers has discovered a way to take over any AOL Instant Messenger (AIM) account as long as they have a person's screen name. By using an AOL staff tool they unearthed while poking around the company's proprietary online service, they exploit a public hole in the AOL 5.0 registration process that lets them reset AIM users' passwords.
Once the hackers do this handiwork, initial users of the screen names are locked out of their accounts, giving the hackers open access to users' "buddy lists" of other AIM users and the ability to maintain trial AOL 5.0 accounts under the same screen names, as confirmed by CNET News.com.
AOL spokesman Rich D'Amoto said he hasn't heard of any complaints about stolen AIM screen names, but that the company is looking into the issue and will try to track down the hackers.
"We're aware of the situation and we are deploying security measures to defeat the hackers," D'Amoto said.
More than 40 million people have registered AIM screen names and use the program to carry on short conversations or send quick alerts to their friends or co-workers.
AIM users can set up private buddy lists and never have to share their screen names with people they don't know. But many users give up their names freely in chat rooms or through AIM's "find a buddy" feature, which lets users search for someone to talk with based on a common interest, such as books or religion.
The teen-age hackers who found the hole in AOL 5.0 say they have stolen more than a hundred names, such as "New York City." Some use the names they've seized to extract information about the person from friends and family. Mostly the ploy is a game.
"We do it if we've seen someone we don't like in a private chat room," one of the hackers said in an interview.
At one point, the high school senior said he tried to let AOL know about the hole. "If AOL would just listen to people like us instead of blowing us off and terminating our accounts, they could fix it," he said.
Security holes usually aren't kid's stuff to a major company such as AOL, however.
In the wake of high-profile privacy breaches by way of human error and email-based attacks, AOL has been forced to take security seriously to ensure its more than 20 million members that their personal information, e-commerce transactions and communications are protected on its service.
AOL wants AIM registrants to feel safe, too; their frequent and consistent activity adds up to lucrative advertising dollars for AOL. And AOL's quality control and privacy measures will only become more important--and potentially harder to manage--as its acquisition of Time Warner takes shape.
AOL will likely try to close the loophole in the registration process that allows the hackers to assign a new password to the account.
Here's how it works:
At one point in the 5.0 registration process, AOL asks for a person's screen name. The hackers enter the screen name they intend to steal, but when asked for a password, they simply guess and get an "invalid password" message. The trick is that AOL has "buffered," or remembered, the screen name within the registration process. The hackers then use a tool that lets them jump to another part of the registration process. Once these steps have been taken, AOL thinks the hacker is the rightful owner of the AIM screen name and later on in the registration process permits the password to be reset.
Security experts say such abuses aren't rare.
"These software faults are more common than most people think; it's more common than we would like," said Elias Levy, of the consulting firm Security Focus. "Most companies, their first reaction is to deny the problem and then go into damage recovery mode and fix the problem without acknowledging it."
Although AIM users could simply register a new screen name, Levy said that having a name stolen could be more of a concern for people who use messenger or chat programs for professional reasons.
"It can be nerve wracking if someone stole your online personality," he said.
AOL said that if a person has had their AIM screen name stolen, for now they can use the program's "forgot password" feature to have an email sent to the address they provided at registration that includes the account's current password. Then the original holder of the screen name can reset the password once again.