% Advisory % Advisory % Advisory % Advisory % Advisory % Advisory % 

Author: f3d
Program: AOL Instant Messanger Servers/Clients
Fault: Caching vulnerability
Os: Win/BSD/*Aim compatible

% Advisory % Advisory % Advisory % Advisory % Advisory % Advisory % 

Problem.  There is a vulnerability in AOL Instant Messanger Client and or 
Servers in which case they depends heavily upon caching, to heavily.  The 
problem with the servers and clients authentication method is, once you 
have logged onto AIM with a screenname, you can permanentley login with 
that screenname. 

Explanation.  I guess AOL went along with the "Once good always good" theory,
 because even if an AOL member changes his/her password, if the correct 
cache is on the computer for the previous password, you are still able to 
login to AIM.  This obviously shows that authentication is on a one time 
basis, and thereafter, it is based upon some sort of algorithm, to speed 
up login time and conserve system resources.  Although this bug seems to 
be very blunt, there is one hinderance, Instant Messages are disabled followed 
by this error, and cannot your privacy settings cannot be reset:

"AOL Instant Messanger(SM) cannot send this message because you have blocked 
the recipient.  You can change this setting on the Privacy tab of the Preferences 
dialog."

Other features, such as Chat, are not.  This bug was found in the latest 
beta release of AIM, and is believed to have effected all previous versions. 
 Anyone else noticed this? Or taken advantage of it in other ways?

Email: f3dster@hushmail.com

% Advisory % Advisory % Advisory % Advisory % Advisory % Advisory %