Vulnerability Development mailing list archives
Re: In regards to the insecurity of AOL Instant Messenger
From: "Alex Lambert" <alambert () webmaster com>
Date: Tue, 6 Aug 2002 14:39:44 -0500
Additionally, some IRC servers allow SSL connections -- the ones I've seen use port 994 (ircs). Trillian also can do encrypted DCC (which is, besides the initial handshake, handled by the two clients instead of the server). AIM has no native support for encrypted connections (or, if it does, I have never seen it used); Trillian allows two users (each with the Trillian client) to communicate securely via SSL. apl ----- Original Message ----- From: "Nick Lange" <nicklange () wi rr com> To: "Alex Lambert" <alambert () webmaster com> Cc: <vuln-dev () securityfocus com> Sent: Tuesday, August 06, 2002 12:31 PM Subject: Re: In regards to the insecurity of AOL Instant Messenger
Trillian allows SSL over AIM protocol [or did allow in .72, haven't
checked
the RC1 release yet]. lICQ allowed SSL over ICQ as well... so it's there if you're willing to use alternative clients, but most
people
don't. nick ----- Original Message ----- From: "Alex Lambert" <alambert () webmaster com> To: "Adam Carr" <itsacarr () adelphia net>;
<vuln-dev () lists securityfocus com>
Sent: Tuesday, August 06, 2002 11:15 AM Subject: Re: In regards to the insecurity of AOL Instant MessengerNow my question, is how secure are normal "ims" on AIM. How difficult
=
would it be to listen to anothers msgs and if at all possible, how
could
=this be fixed.=20"msgsnarf records selected messages from AOL Instant Mes- senger, ICQ 2000, IRC, MSN Messenger, or Yahoo Messenger chat sessions." (msgsnarf(8) manpage) AFAIK, none of the above protocols are usually encrypted. dsniff (http://www.monkey.org/~dugsong/dsniff/dsniff-2.3.tar.gz) can pick themup.apl ----- Original Message ----- From: "Adam Carr" <itsacarr () adelphia net> To: <vuln-dev () lists securityfocus com> Sent: Monday, August 05, 2002 5:58 PM Subject: In regards to the insecurity of AOL Instant MessengerAfter seeing the recent emails about the hide windows while away = function while I don't quite understand that as a security threat this
=
does remind me of other insecurities of AIM and some questions I had
as
=well. The first threat to AIM users that I am aware of and have tested
myself
=is under Direct Connects with another user. With a targets ip, it is
not
=difficult at all to intercept the dcc's messages and to input your
own.
=Quite frightening. A simple fix is to change the port which AIM direct
=
connects on. Seeing as how my explanations are not that great I invite
=
anyone else who is aware of this to explain that flaw in AIM. Now my question, is how secure are normal "ims" on AIM. How difficult
=
would it be to listen to anothers msgs and if at all possible, how
could
=this be fixed.=20 I know AIM has\had it's share of other vulnerabilities so please speak
=
up if you know of any. Thanks ... Cheers ... Adam
Current thread:
- In regards to the insecurity of AOL Instant Messenger Adam Carr (Aug 05)
- Re: In regards to the insecurity of AOL Instant Messenger Alex Lambert (Aug 06)
- Re: In regards to the insecurity of AOL Instant Messenger Nick Lange (Aug 06)
- Re: In regards to the insecurity of AOL Instant Messenger moksha faced (Aug 06)
- Re: In regards to the insecurity of AOL Instant Messenger Alex Lambert (Aug 06)
- Re: In regards to the insecurity of AOL Instant Messenger Alex Lambert (Aug 06)
- Re: In regards to the insecurity of AOL Instant Messenger Bojan Zdrnja (Aug 07)
- Re: In regards to the insecurity of AOL Instant Messenger Nick Lange (Aug 06)
- Re: In regards to the insecurity of AOL Instant Messenger Alex Lambert (Aug 06)
- Re: In regards to the insecurity of AOL Instant Messenger H C (Aug 06)
- <Possible follow-ups>
- RE: In regards to the insecurity of AOL Instant Messenger jbarbo1 (Aug 06)
- Re: In regards to the insecurity of AOL Instant Messenger John Scimone (Aug 06)
- In regards to the insecurity of AOL Instant Messenger mike (Aug 06)
- RE: In regards to the insecurity of AOL Instant Messenger Seth Knox (Aug 06)
- RE: In regards to the insecurity of AOL Instant Messenger Jason Barbour (Aug 06)