aim.caching.txt

`% Advisory % Advisory % Advisory % Advisory % Advisory % Advisory %   
  
Author: f3d  
Program: AOL Instant Messanger Servers/Clients  
Fault: Caching vulnerability  
Os: Win/BSD/*Aim compatible  
  
% Advisory % Advisory % Advisory % Advisory % Advisory % Advisory %   
  
Problem. There is a vulnerability in AOL Instant Messanger Client and or   
Servers in which case they depends heavily upon caching, to heavily. The   
problem with the servers and clients authentication method is, once you   
have logged onto AIM with a screenname, you can permanentley login with   
that screenname.   
  
Explanation. I guess AOL went along with the "Once good always good" theory,  
because even if an AOL member changes his/her password, if the correct   
cache is on the computer for the previous password, you are still able to   
login to AIM. This obviously shows that authentication is on a one time   
basis, and thereafter, it is based upon some sort of algorithm, to speed   
up login time and conserve system resources. Although this bug seems to   
be very blunt, there is one hinderance, Instant Messages are disabled followed   
by this error, and cannot your privacy settings cannot be reset:  
  
"AOL Instant Messanger(SM) cannot send this message because you have blocked   
the recipient. You can change this setting on the Privacy tab of the Preferences   
dialog."  
  
Other features, such as Chat, are not. This bug was found in the latest   
beta release of AIM, and is believed to have effected all previous versions.   
Anyone else noticed this? Or taken advantage of it in other ways?  
  
Email: [email protected]  
  
% Advisory % Advisory % Advisory % Advisory % Advisory % Advisory % `