[ISN] Security Flaw Exposes 35 Million AOL Accounts

From: InfoSec News (isnat_private)
Date: Thu Jan 23 2003 - 03:29:05 PST

  • Next message: InfoSec News: "[ISN] Aust hackers launch security conference"

    By Nate Mook and Craig Newell, BetaNews 
    January 22nd, 2003
    The accounts of millions of AOL subscribers were jeopardized this week
    due to a serious flaw in the company's Web-based mail system, BetaNews
    has learned.
    The vulnerability stems from an error in one of AOL's international
    e-mail authentication systems, which granted users access without
    correctly verifying passwords. By simply entering an account name, an
    AOL user had the ability to read any other user's e-mail and all
    personal data contained therein.
    Private correspondence suddenly became open for public perusal, and
    sensitive information such as passwords and account numbers were
    potentially exposed to prying eyes.
    Although AOL plugged the security hole early Wednesday morning, it is
    unclear at this point how many AOL and AIM accounts have been
    The only accounts entirely spared from the snafu were those of AOL
    employees, as a SecurID code is required for such accounts, in
    addition to a password.
    While security issues are nothing new to AOL, the scope of this
    vulnerability and the ease with which it was executed are particularly
    disconcerting. Such a security breach extends beyond just e-mail and
    opens the door for potential identity theft.
    "There's two basic models of system security: Perimeter and
    Defense-In-Depth. Though no good system ever survives a weak
    perimeter, it's all too easy to suffer 'Candy Bar Security': Crunchy
    on the outside, soft and chewy on the inside," said Dan Kaminsky,
    security engineer for DoxPara Research. "Unfortunately, that's what
    hit AOL in this case. For whatever reason, AOL's mail servers were
    willing to grant access to user archives because they believed some
    trusted host at the perimeter had authenticated the necessary token --
    the password."
    The biggest risk lies in the connection between AOL and AIM. Because
    the messaging networks utilize separate databases, when an AOL account
    is created, an independently controlled AOL Instant Messenger account
    is also established with the same e-mail and password.
    Anyone with access to a member's e-mail can easily request a reminder
    of their AOL Instant Messenger password, which in most cases would
    also grant complete control over the AOL account. This would allow
    even more personal information to be accessed including addresses and
    phone numbers.
    According to reports, AIM accounts could also be hijacked by changing
    the password and e-mail address associated with the username.
    The vulnerability does not directly affect ScreenName, the unified
    sign-on system deployed across AOL's Web properties. However, once a
    password is obtained, personal information stored on any
    ScreenName-enabled site is potentially at risk.
    Major online players such as Microsoft with its Passport service, and
    the Liberty Alliance backed by AOL and Sun have been advocates of
    single sign-in technologies where a user only needs to log in once to
    access numerous services.
    But with such a large repository of user data, security concerns
    become paramount. AOL has faced several major security breaches in the
    past, most notably in summer of 2000 when hackers were able to access
    the subscriber's information database that includes detailed customer
    records like credit card information.
    AOL was unavailable for comment at press time.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Thu Jan 23 2003 - 06:47:03 PST