I'm sorry if I was unclear in my first post. The only way I've seen to exploit this is to send someone a hyperlink in the form of aim:addbuddy?=screenname and have them click on it. (replacing "screenname" with an actual screen name seems to give the same result) You can also set up a web page that will redirect your victim to a client crashing URL once they've caught on to your evil little scheme. :p I set up an example of this at http://www.fazed.net/poof for testing purposes, of course. Adam Brown SpunOne@IRC http://www.fazed.net http://www.webzone.net > I just sent <a href="aim:addbuddy?=screenname">what does this show up as</a>? > to an AOL AIM 2.0.996 user and once she *clicked* on it AIM crashed. I don't > know if you meant to say that the user had to click on it for the client to > crash, or if this is indeed different behaviour. I also just tried it with > "screenname" replaced with first her screenname, and then with mine, again > with no automatic reaction. > > (sent from linuxkitty, a naim-0.9.4-parse2 user, to <victim>, an AOL AIM > 2.0.996 user) > [15:59:43] linuxkitty: [LINK:href="aim:addbuddy?=screenname":what > does this show up as]? > [16:00:23] Friend <victim> has just logged off :( > [16:03:09] Friend <victim> is now online =) > [16:14:14] linuxkitty: [LINK:href="aim:addbuddy?=<victim>":miaow > miaow] (don't click on that, I'm just testing something) > [16:14:50] linuxkitty: [LINK:href="aim:addbuddy?=linuxkitty":anoth > er test...] > > -- > Daniel Reed <nat_private> > Many a false step is made by standing still... >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:43:19 PDT