X

AOL shutters Web e-mail hole

America Online fixes a security hole in its Web e-mail service after being tipped off to the flaw, but not before "hundreds" of accounts are compromised.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
2 min read
America Online shuttered a security hole in its Web e-mail service on Wednesday after being tipped off to the flaw, but not before "hundreds" of accounts had been compromised.

Few details of the incident have emerged, but AOL spokesman Andrew Weinstein confirmed that the online giant closed the hole Wednesday morning.

"We believe only a very small number of accounts--in the hundreds, not thousands--were affected," Weinstein said, adding that the company is still taking stock of the incident to pinpoint what accounts had been targeted.

The incident, first reported by the BetaNews Web site, apparently was caused by flaws in the software that authenticates international users. The flaws allowed anyone to access an AOL e-mail account with only the account name and not the password. An attacker, then, could gain access to a known account, or, by way of a lucky guess, a random account.

An attacker could then use the weakness to get hold of the AOL user's password. Using the account name, the attacker could attempt to log in to AOL Instant Messenger. The IM log-in window offers a link labeled "Forgot my password," which, when clicked, brings up a page in the user's Web browser asking if he or she would like the IM password e-mailed. In many--if not most--cases, AOL users assign the same password to their e-mail and instant messaging accounts.

Dan Kaminsky, an independent security consultant familiar with the issue, criticized the company for jeopardizing people's information.

"The point of greatest loss to the customers is that their personal data from the electronic mail is going to get exposed," Kaminsky said.

Spokesman Weinstein said AOL is still researching where the flaw had first been reported so that the company could gauge the length of time attackers may have been exploiting the issue. The company didn't think the period of vulnerability lasted long, however. The company would not say who first alerted it to the problem.