[Full-Disclosure] Re: AOL Instant Messenger - Away Setting and Snoopers

• Previous message: Matthew Murphy: "[Full-Disclosure] Re: AOL Instant Messenger - Away Setting and Snoopers"
• In reply to: Matthew Murphy: "[Full-Disclosure] AOL Instant Messenger - Away Setting and Snoopers"
• Next in thread: Mark Shirley: "Re: AOL Instant Messenger - Away Setting and Snoopers"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I don't think the "hide window while away" feature was designed with
security in mind. I believe its more for keeping the desktop clear.  Someone
with local access could also just as easily turn off away and look at the
windows....


----- Original Message -----
From: "Matthew Murphy" <mattmurphyat_private>
To: "BugTraq" <bugtraqat_private>; "Full Disclosure"
<full-disclosureat_private>; "SecurITeam News" <newsat_private>;
"Vuln-Dev" <vuln-devat_private>
Sent: Sunday, August 04, 2002 6:56 PM
Subject: AOL Instant Messenger - Away Setting and Snoopers


> Yet another reason never to use AOL...
>
> AOL Instant Messenger is used by many millions of people to send and
receive
> messages in real-time.  It features several "states" for a user, such as
> away, idle, etc. that change the behavior of the client when set.  AOL
> employs a feature "Hide windows while away" that, as its name implies,
hides
> all windows in AIM while the user is away.  However, even with windows
> hidden, it is possible for snoopers to view conversation.
>
> If a user sends you a message while you are away, and regardless of "hide
> windows" being enabled, the entire conversation between the two parties
> becomes readable to anyone with access to the terminal just by clicking
the
> desired screen name.
>
> Example:
>
> 1) 2 users chat...
> 2) user A leaves, setting away status
> 3) user B checks with a simple "are you there?" type message
> 4) upon receiving the away, no further messages are exchanged, as user A
has
> left
> 5) someone with local access checks the away queue for info
> 6) checking each screen name, he/she saves each transcript
> 7) user A returns, and responds to the message
> 8) chat continues...
>
> Workaround: Don't use away state, or close all conversation windows
> yourself; never use the hide window feature, that is just lazy. :-)
>
> "The reason the mainstream is thought
> of as a stream is because it is
> so shallow."
>                      - Author Unknown

_______________________________________________
Full-Disclosure - We believe in it.
Full-Disclosureat_private
http://lists.netsys.com/mailman/listinfo/full-disclosure

• Next message: Mark Shirley: "[Full-Disclosure] Re: AOL Instant Messenger - Away Setting and Snoopers"
• Previous message: Matthew Murphy: "[Full-Disclosure] Re: AOL Instant Messenger - Away Setting and Snoopers"
• In reply to: Matthew Murphy: "[Full-Disclosure] AOL Instant Messenger - Away Setting and Snoopers"
• Next in thread: Mark Shirley: "Re: AOL Instant Messenger - Away Setting and Snoopers"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Aug 05 2002 - 02:34:47 PDT