Hackers exploiting a loophole in America Online's sign-up process have begun taking their pick of AOL Instant Messenger (AIM) accounts, hijacking them virtually at will.
The technique emerged early this month on AOL-Files, a meeting place for AOL hackers, where it was born as a harmless hack that allows users to establish AOL accounts with indented screen names.
The more sinister applications of the bug became clear later. "It wasn't until recently that anyone noticed that it could be used to hijack Instant Messenger accounts," says Adrian Lamo, founder of Inside-AOL and a long-time chronicler of AOL's foibles. "And it only became a significant problem in the past week."
America Online uses the same screen names across its subscription service and its instant messaging system. The bug is manifest in the way the system checks a new subscriber's chosen screen name for conflicts with existing AIM accounts.
By manipulating the nuts and bolts of AOL's sign-up form with tools long available on the Net, hackers can set the value of a two-character variable which is sent immediately before the new screen name in the sign-up process.
The sign-up ignores that variable, called uni_next_atom_typed, while checking the screen name for a conflict. But the process later appends the variable to the screen name when actually creating the account. A hacker exploits this, for example, by setting uni_next_atom_typed to "Jo" when establishing an account with the screen name "hn Doe." If "hn Doe" is available on both AOL and AIM, then the system will set up the account for "John Doe" -- even if "John Doe" is already in use.
The hacker can use the new AOL account to access John Doe's personal "buddy list," or to change John Doe's password and take over the AIM account, masquerading as the former owner.
Credit Cards Abused
Hackers initially discovered that they could set uni_next_atom_typed to two blank spaces and create indented screen names on new AOL accounts. When it developed that the same technique could be used to take over AIM accounts, something of a screen name gold rush ensued among a mostly juvenile group of hackers eagerly snatching up the most attractive names, according to Lamo.
Because AOL's sign-up process requires a valid credit card number, many of these hackers have taken up credit card fraud to feed their screen name habit. "People trade desirable screen names for [stolen] credit card numbers, which are then used to make more desirable screen names," Lamo says. "It's a vicious cycle."
Once an AOL account exists under an AIM screen name it cannot be hijacked again -- although a separate loophole allows hackers to create AOL accounts that automatically disappear from the system shortly after creation.
Users of AOL's subscription service are not vulnerable. Because of the nature of the bug, AIM users with screen names that, except for the first two letters, are already taken are also immune: i.e., if an 'hn Doe' were to have an AIM account, then a 'John Doe' would be safe from being hijacked, as the technique requires a hacker to register 'hn Doe' to take over 'John Doe'.
AIM is the most popular of the Internet instant messaging services, with 21.5 million users in the US alone, according to Internet traffic measuring company Media Metrix. In July, AOL reported that AIM had surpassed 61 million registered users worldwide, 20 million of whom were active.
AOL did not return repeated phone calls on the subject.
© 2000 SecurityFocus.com. All rights reserved.