Security Flaw Exposes 35 Million AOL Accounts

[InfoSec News <isn () c4i org>]

http://www.betanews.com/article.php3?sid=1043252353

By Nate Mook and Craig Newell, BetaNews 
January 22nd, 2003

The accounts of millions of AOL subscribers were jeopardized this week
due to a serious flaw in the company's Web-based mail system, BetaNews
has learned.

The vulnerability stems from an error in one of AOL's international
e-mail authentication systems, which granted users access without
correctly verifying passwords. By simply entering an account name, an
AOL user had the ability to read any other user's e-mail and all
personal data contained therein.

Private correspondence suddenly became open for public perusal, and
sensitive information such as passwords and account numbers were
potentially exposed to prying eyes.

Although AOL plugged the security hole early Wednesday morning, it is
unclear at this point how many AOL and AIM accounts have been
compromised.

The only accounts entirely spared from the snafu were those of AOL
employees, as a SecurID code is required for such accounts, in
addition to a password.

While security issues are nothing new to AOL, the scope of this
vulnerability and the ease with which it was executed are particularly
disconcerting. Such a security breach extends beyond just e-mail and
opens the door for potential identity theft.

"There's two basic models of system security: Perimeter and
Defense-In-Depth. Though no good system ever survives a weak
perimeter, it's all too easy to suffer 'Candy Bar Security': Crunchy
on the outside, soft and chewy on the inside," said Dan Kaminsky,
security engineer for DoxPara Research. "Unfortunately, that's what
hit AOL in this case. For whatever reason, AOL's mail servers were
willing to grant access to user archives because they believed some
trusted host at the perimeter had authenticated the necessary token --
the password."

The biggest risk lies in the connection between AOL and AIM. Because
the messaging networks utilize separate databases, when an AOL account
is created, an independently controlled AOL Instant Messenger account
is also established with the same e-mail and password.

Anyone with access to a member's e-mail can easily request a reminder
of their AOL Instant Messenger password, which in most cases would
also grant complete control over the AOL account. This would allow
even more personal information to be accessed including addresses and
phone numbers.

According to reports, AIM accounts could also be hijacked by changing
the password and e-mail address associated with the username.

The vulnerability does not directly affect ScreenName, the unified
sign-on system deployed across AOL's Web properties. However, once a
password is obtained, personal information stored on any
ScreenName-enabled site is potentially at risk.

Major online players such as Microsoft with its Passport service, and
the Liberty Alliance backed by AOL and Sun have been advocates of
single sign-in technologies where a user only needs to log in once to
access numerous services.

But with such a large repository of user data, security concerns
become paramount. AOL has faced several major security breaches in the
past, most notably in summer of 2000 when hackers were able to access
the subscriber's information database that includes detailed customer
records like credit card information.

AOL was unavailable for comment at press time.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.