Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: possible AIM dos?

From: lazy <lazy () bsdbox org>
Date: Tue, 09 Oct 2001 22:10:52 -0400
You cannot warn someone unless they send you a
message. However, if you register and use 27 or
so different screen names, using a client such
as GAIM which makes it possible. You can harrass
them to the point where they beg you to stop.
Their begging allows you to warn them to 100%,
rendering their account useless. 

A workarround to this, and nearly any other
AIM "attack" is simple. Block all users not on
your buddy list in your Privacy settings.
However, this is a pretty paranoid method to
use.

It's possible and does work. With most people
you can do it within 3 minutes.

Note that when registering accounts, you'll
have to use multiple email addresses. But since
you never have to really confirm your AIM
accounts by replying to the E-mail it won't
matter.

// lazy


John Scimone wrote:


After reading this outdated article regarding AOL Instant Messenger's "warn"
feature:

http://www.attrition.org/security/denial/w/aim-warn.dos.html

I began to wonder what type of restrictions were put on it.  Does anyone know
what is stopping someone from registering multiple screen names, then sending
warnings from each of those names, all targeted at the same user thus keeping
that user at a 100% warning level denying them the instant messenger service
for the most part?
any thoughts are appreciated.
thanks.

John Scimone


-- 

 ..:: Too many people... Too few neurons.
 PGP: RSA 2048bit 0xB7673053 (keyserver.pgp.com)
 Web: http://packetjunkie.net  http://bsdbox.org
Previous By Date Next
Previous By Thread Next

Current thread: