Why? GAIM uses TOC, IIRC -- just use Net::AIM in perl or even dig up some OSCAR documentation. It would be easier than hacking up a client to do the same thing. apl ----- Original Message ----- From: "moksha faced" <adminat_private> To: "Nick Lange" <nicklangeat_private>; "Alex Lambert" <alambertat_private> Cc: <vuln-devat_private> Sent: Tuesday, August 06, 2002 1:15 PM Subject: Re: In regards to the insecurity of AOL Instant Messenger > silly question, but has anyone written a bot using > gaim or jaim? > --- Nick Lange <nicklangeat_private> wrote: > > Trillian allows SSL over AIM protocol [or did allow > > in .72, haven't checked > > the RC1 release yet]. > > lICQ allowed SSL over ICQ as well... > > so it's there if you're willing to use alternative > > clients, but most people > > don't. > > nick > > ----- Original Message ----- > > From: "Alex Lambert" <alambertat_private> > > To: "Adam Carr" <itsacarrat_private>; > > <vuln-devat_private> > > Sent: Tuesday, August 06, 2002 11:15 AM > > Subject: Re: In regards to the insecurity of AOL > > Instant Messenger > > > > > > > > Now my question, is how secure are normal "ims" > > on AIM. How difficult = > > > > would it be to listen to anothers msgs and if at > > all possible, how could > > = > > > > this be fixed.=20 > > > > > > "msgsnarf records selected messages from > > AOL Instant Mes- > > > senger, ICQ 2000, IRC, MSN Messenger, or > > Yahoo Messenger > > > chat sessions." (msgsnarf(8) manpage) > > > > > > AFAIK, none of the above protocols are usually > > encrypted. dsniff > > > > > > (http://www.monkey.org/~dugsong/dsniff/dsniff-2.3.tar.gz) > > can pick them > > up. > > > > > > > > > > > > apl > > > ----- Original Message ----- > > > From: "Adam Carr" <itsacarrat_private> > > > To: <vuln-devat_private> > > > Sent: Monday, August 05, 2002 5:58 PM > > > Subject: In regards to the insecurity of AOL > > Instant Messenger > > > > > > > > > > After seeing the recent emails about the hide > > windows while away = > > > > function while I don't quite understand that as > > a security threat this = > > > > does remind me of other insecurities of AIM and > > some questions I had as > > = > > > > well. > > > > > > > > The first threat to AIM users that I am aware of > > and have tested myself > > = > > > > is under Direct Connects with another user. With > > a targets ip, it is not > > = > > > > difficult at all to intercept the dcc's messages > > and to input your own. > > = > > > > Quite frightening. A simple fix is to change the > > port which AIM direct = > > > > connects on. Seeing as how my explanations are > > not that great I invite = > > > > anyone else who is aware of this to explain that > > flaw in AIM. > > > > > > > > Now my question, is how secure are normal "ims" > > on AIM. How difficult = > > > > would it be to listen to anothers msgs and if at > > all possible, how could > > = > > > > this be fixed.=20 > > > > > > > > I know AIM has\had it's share of other > > vulnerabilities so please speak = > > > > up if you know of any. Thanks ... > > > > > > > > Cheers ... > > > > Adam > > > > > > > > > > > > > > > > > > > > > > > > > > >
This archive was generated by hypermail 2b30 : Tue Aug 06 2002 - 13:04:59 PDT