AOL's Online Password Reset feature does not fully validate user information

["Steven" <steven () lovebug org>]

Vendor:   America Online Inc.
Date:     January 1, 2005
Issue:    AOL's Online Password Reset feature does not fully validate user information
URL:      http://www.aol.com 
Advisory: http://www.lovebug.org/aolpwreset_advisory.txt


Service Overview:

This report is in reference to the Online Password Reset that exists for the AOL client for paying user accounts and 
not AOL Instant Messenger.  I think chances are if you're reading this, you should be familiar that AOL is still the 
world's largest Internet Service Provider.

Issue:

AOL has an Online Password Reset feature that enables users that have forgotten their password to reset it online.  
This features comes by way of a window that may popup if the user has supplied an invalid password two times in a row. 
(Note: This does not apply when signing on as Guest or at New User).  The first screen that pops up is a word 
verification screen.  The user must simply write the letters in a box that are displayed from an image.  Upon doing 
this the user is brought to the next and most important screen in the process.  This is the Member Verification screen 
where they must enter the First Name, Last Name, and the Daytime and Evening Phone Number along with the Last 4 Digits 
of their billing method account number or the answer to an account security question (if one is set).  If an account 
security question is in place, it will only ask the user for the First Name and Last Name, and the answer to the 
account security question.  It will not ask for the phone numbers or the last four digits of the billing method.

While these may not be the most secure items to ask for to begin with, there is an issue with user input validation.  
To successfully reset the password for an account, the user does NOT need to supply the full first or last name.  In 
fact, only the first letter of both is required.  If the name on my account were Homer Simpson, all I would need to do 
is type in H and S for the first and last name.  The next issue is that it does not appear to check both daytime and 
evening phone numbers.  In my limited testing, I have found that you can simply enter one correct phone number in 
either field and the second phone number does not matter (in fact you can just put 555-555-5555).  However, in their 
credit it appears that the answer to the security question must be complete and exactly as originally typed. Also, if 
the last four digits of the billing method comes up, the exact and entire four must be entered correctly for validation.

This results in a problem with only having to supply a limited bit of information to reset a password.  On an even more 
extreme note, this could also be used to discover information about an account.  The user is given 4 tries to get the 
information correct to reset the password.  If the user enters some fields correctly but others incorrectly, the Online 
Reset window will return the correct fields with the previously entered information and leave all invalid fields blank. 
 This can be used to verify a name, phone number, and billing digits on the account.

Solutions: 

At the login screen intentionally typed your password incorrectly two times.  When the password reset window pops up, 
enter the word verification and then go to Member Verification screen.  At this point just enter bogus information four 
times until it boots you off.  This will disable the online reset feature for the screen name since the information was 
entered incorrectly.  The feature will probably be turned on again at some point after a given period of time, but I 
believe it is a rather long period of that's the case.  Also, don't use a security question with an easy answer that 
people might know or is flat out guessable (i.e. What is my favorite color?).


Vendor Response:

After my previous bug reports related to America Online, I noted that I had knowledge of more (and I still do) and 
would be more than willing to share this information with the vendor if they cared to hear it.  I received a response 
from AOL not too long after that, but it seems that maintaining the communication is rather difficult for some reason.  
The vendor has not been notified of this problem, atleast not until reading this.

My e-mail address hasn't change and works fine: <steven () lovebug org> | If anyone at AOL is interested in knowing 
bugs prior to disclosure, feel free to drop me a line.  There's a few more you might like to know about :-)

Credits:

Myself and the year 2005.

Go Hokies! Sugar Bowl Time! :D


-Steven
steven () lovebug org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html