I don't think the "hide window while away" feature was designed with security in mind. I believe its more for keeping the desktop clear. Someone with local access could also just as easily turn off away and look at the windows.... ----- Original Message ----- From: "Matthew Murphy" <mattmurphyat_private> To: "BugTraq" <bugtraqat_private>; "Full Disclosure" <full-disclosureat_private>; "SecurITeam News" <newsat_private>; "Vuln-Dev" <vuln-devat_private> Sent: Sunday, August 04, 2002 6:56 PM Subject: AOL Instant Messenger - Away Setting and Snoopers > Yet another reason never to use AOL... > > AOL Instant Messenger is used by many millions of people to send and receive > messages in real-time. It features several "states" for a user, such as > away, idle, etc. that change the behavior of the client when set. AOL > employs a feature "Hide windows while away" that, as its name implies, hides > all windows in AIM while the user is away. However, even with windows > hidden, it is possible for snoopers to view conversation. > > If a user sends you a message while you are away, and regardless of "hide > windows" being enabled, the entire conversation between the two parties > becomes readable to anyone with access to the terminal just by clicking the > desired screen name. > > Example: > > 1) 2 users chat... > 2) user A leaves, setting away status > 3) user B checks with a simple "are you there?" type message > 4) upon receiving the away, no further messages are exchanged, as user A has > left > 5) someone with local access checks the away queue for info > 6) checking each screen name, he/she saves each transcript > 7) user A returns, and responds to the message > 8) chat continues... > > Workaround: Don't use away state, or close all conversation windows > yourself; never use the hide window feature, that is just lazy. :-) > > "The reason the mainstream is thought > of as a stream is because it is > so shallow." > - Author Unknown _______________________________________________ Full-Disclosure - We believe in it. Full-Disclosureat_private http://lists.netsys.com/mailman/listinfo/full-disclosure
This archive was generated by hypermail 2b30 : Mon Aug 05 2002 - 02:34:47 PDT