AOL Says It Is Fixing IM Security Loophole
America Online said today that it is in the process of closing
a security loophole that allowed hackers to steal AOL Instant Messenger
(AIM) screen names and, in some cases, access AOL members' credit cards.
Nicholas Graham, spokesperson for AOL, said that the new security measure
will address the issue not only for AIM version 4.3 clients, but
others as well.
"We became aware of the problem earlier this week," said Graham. "Today,
we were able to duplicate the process where individuals were able to make
illegal entries in our system. This afternoon we are putting in a
precautionary technique that will fix the problem."
Graham characterized the security breach as a "unique, sophisticated,
esoteric process," and added that it was an isolated incident.
"We are responding to this on an ad hoc basis. It was not brought to our
attention by any of our members," he said.
According to Kevin Poulsen, editorial director at SecurityFocus.com, an
online news and information service for computer security, the problem
began when hackers discovered a way to create unique AOL screen names
for themselves.
"There is a large subculture of people who delight in tinkering with AOL.
Not always illegally, but more than AOL would like," Poulsen explained.
"About a month ago, someone discovered a way to make a screen name that
was indented two spaces. It was innocent, but attractive, because it was
different and only an AOL hacker would know how to do it."
Poulsen said that the formerly innocent hack escalated recently when some
discovered that information could be sent to the AOL computer that allowed
the hacker to replace the two spaces with other letters. Therefore,
someone
who signed up for "vinpoulsen" preceded by two spaces could then
substitute "ke" for the two spaces, and they would have hijacked
"kevinpoulsen."
The first person to publicize the security breach was Adrian Lamo, a
self-described freelance security consultant and founder of
Inside-AOL.com,
a site dedicated to keeping tabs on the problems AOL has. Lamo criticized
AOL for what he said was a lagging response time, and said that the
company
had only itself to blame for not getting more help from others.
"It is unfortunate that it took them so long," Lamo said. "If AOL had a
better track record, then someone might have helped them sooner. Earlier
this year, a hacker discovered that he had gained access to AOL's internal
network. He contacted them and told them about it, then helped them fix
it.
After it was fixed, AOL turned around and had him prosecuted."
Lamo posted a statement on his Inside-AOL.com site stating that the "vast
majority" of AOL's tens of millions of Instant Messenger accounts could be
compromised. The statement claimed that AOL knew about the vulnerability
for a significant amount of time but was unresponsive.
Lamo was dubious about AOL's announcement that it expected the problem to
be corrected today, saying, "they also made claims like that in the
spring,
when another security issue came up, and it was not fixed when they said
it would be."
Graham said that AOL was taking the breach very seriously.
"Security is obviously a critical and important priority for us. We will
pursue the individuals in question that are responsible for this and we
will prosecute them," he said.
More information on America Online is available on the Web
at http://www.aol.com