Re: AOL Instant Messenger - Away Setting and Snoopers

From: Mark Shirley (cyberfrogat_private)
Date: Sun Aug 04 2002 - 22:35:24 PDT

Next message: Nick Lange: "Re: Re: ssh trojaned"

Previous message: Mark Shirley: "[Full-Disclosure] Re: AOL Instant Messenger - Away Setting and Snoopers"
In reply to: Matthew Murphy: "[Full-Disclosure] AOL Instant Messenger - Away Setting and Snoopers"
Next in thread: Matthew Murphy: "[Full-Disclosure] Re: AOL Instant Messenger - Away Setting and Snoopers"
Reply: Matthew Murphy: "[Full-Disclosure] Re: AOL Instant Messenger - Away Setting and Snoopers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

i fail to see the importance of this.  the hide window option is primarily
for preventing full screen applications (particularly games) from crashing
or switching to the desktop when another user messages you.  i highly doubt
the hide window option is intended for any security purposes.  if you're
conserned with people viewing your screen, lock it with a screensaver or
nt/2k/xp "lock" feature.


----- Original Message -----
From: "Matthew Murphy" <mattmurphyat_private>
To: "BugTraq" <bugtraqat_private>; "Full Disclosure"
<full-disclosureat_private>; "SecurITeam News" <newsat_private>;
"Vuln-Dev" <vuln-devat_private>
Sent: Sunday, August 04, 2002 9:56 PM
Subject: AOL Instant Messenger - Away Setting and Snoopers


> Yet another reason never to use AOL...
>
> AOL Instant Messenger is used by many millions of people to send and
receive
> messages in real-time.  It features several "states" for a user, such as
> away, idle, etc. that change the behavior of the client when set.  AOL
> employs a feature "Hide windows while away" that, as its name implies,
hides
> all windows in AIM while the user is away.  However, even with windows
> hidden, it is possible for snoopers to view conversation.
>
> If a user sends you a message while you are away, and regardless of "hide
> windows" being enabled, the entire conversation between the two parties
> becomes readable to anyone with access to the terminal just by clicking
the
> desired screen name.
>
> Example:
>
> 1) 2 users chat...
> 2) user A leaves, setting away status
> 3) user B checks with a simple "are you there?" type message
> 4) upon receiving the away, no further messages are exchanged, as user A
has
> left
> 5) someone with local access checks the away queue for info
> 6) checking each screen name, he/she saves each transcript
> 7) user A returns, and responds to the message
> 8) chat continues...
>
> Workaround: Don't use away state, or close all conversation windows
> yourself; never use the hide window feature, that is just lazy. :-)
>
> "The reason the mainstream is thought
> of as a stream is because it is
> so shallow."
>                      - Author Unknown
>
>
>

Next message: Nick Lange: "Re: Re: ssh trojaned"
Previous message: Mark Shirley: "[Full-Disclosure] Re: AOL Instant Messenger - Away Setting and Snoopers"
In reply to: Matthew Murphy: "[Full-Disclosure] AOL Instant Messenger - Away Setting and Snoopers"
Next in thread: Matthew Murphy: "[Full-Disclosure] Re: AOL Instant Messenger - Away Setting and Snoopers"
Reply: Matthew Murphy: "[Full-Disclosure] Re: AOL Instant Messenger - Away Setting and Snoopers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Aug 05 2002 - 08:01:24 PDT