Full Disclosure mailing list archives
Re: AOL refuses to help AIM users
From: ATD <simon () snosoft com>
Date: 03 Feb 2003 21:45:28 -0500
Juraj, I would love to make it public however I am not sure as to what the actual vulnerability is. What I do know is that it allowed a the attacker to "take over" the users account. In the process the attacker was able to change the users password. The users client was GAIM, I am not sure of the version as of yet. The perplexing/concerning part of this is they did not require the user to be on-line for the account compromise. They can apparently change the password on the AIM database whenever they want, which makes me wonder if it has been compromised. Like I said, AOL was not interested in discussing this with me, even after I identified myself. Their clam was because I was not a paying customer. Also take note, my last message and this one are both being carbon copied to both toc () aol com and abuse () aol com, but to no avail. On Mon, 2003-02-03 at 21:39, Juraj Bednar wrote:
Hello, make the vulnerability public, static why you did not communicate with vendor. It's their problem. Would be pretty bad press for them. J.All, Has anyone on this list ever tried to report a security issue to AOL? I just tried to do that and was literally told, "Corporate policy states that we do not help our free users.". I said, "I suppose thats because you don't make any money off of the free users". The man on the other end of the line being their security expert then stated, "thats right". Is this how they treat their prospective clients, end users, and free users? What can we do about this? -- ATD <simon () snosoft com> Secure Network Operations, Inc.
-- ATD <simon () snosoft com> Secure Network Operations, Inc.
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- SQL Slammer - lessons learned John . Airey (Feb 03)
- Re: SQL Slammer - lessons learned Henrik Lund Kramshøj (Feb 03)
- Re: SQL Slammer - lessons learned David Howe (Feb 03)
- <Possible follow-ups>
- Re: SQL Slammer - lessons learned David Howe (Feb 03)
- AOL refuses to help AIM users ATD (Feb 03)
- Message not available
- Re: AOL refuses to help AIM users ATD (Feb 03)
- Re: AOL refuses to help AIM users Rick Updegrove (Feb 03)
- Re: AOL refuses to help AIM users ATD (Feb 03)
- AOL refuses to help AIM users ATD (Feb 03)
- Re: AOL refuses to help AIM users Berend-Jan Wever (Feb 04)
- RE: SQL Slammer - lessons learned Paul Schmehl (Feb 05)
- Re: SQL Slammer - lessons learned Helmut Springer (Feb 05)
- Re: SQL Slammer - lessons learned David LaPorte (Feb 05)
- Re: SQL Slammer - lessons learned Niels Bakker (Feb 05)
- Re: SQL Slammer - lessons learned Niels Bakker (Feb 05)
- Re: SQL Slammer - lessons learned David Howe (Feb 06)