You've got accounts!

Pranksters exploit a big back door in AOL's Instant Messenger service.

Published January 25, 2000 5:00PM (EST)

Pranksters have discovered a security hole that lets them take control of America Online Instant Messenger accounts whose owners don't also have separate AOL accounts.

In a demonstration performed for Salon Technology, someone describing himself as a teenage hacker changed the password on our account in less than three minutes.

The AIM software -- which allows real-time screen-to-screen communication -- is used by more than 40 million people, including millions who are not also fee-paying members of AOL's service.

The security hole is simple: AOL's online service can be used to change the passwords on AIM accounts. So pranksters open new AOL accounts using the name of the AIM user they're targeting.

AOL does ask for the AIM password -- but there are ways around this check. More experienced mischief-makers know how to issue keyboard commands to open a password-changing screen before the password check; less-experienced ones know that after the correct series of responses, the AOL account will still be created, but they won't be able to log onto it -- a problem that can be remedied with a call to AOL, which will enable access if the caller supplies the correct credit card information used to create the account.

The stolen AIM identity allows strangers to masquerade as others and even invade their personal lives: "Some hackers pretend they are the victim, and carry on conversations with the person's friends," says the self-described hacker who demonstrated the technique. He tells of one prankster who used the account of a teenage girl to trade messages with her mother -- and pilfer a credit-card number: "The hacker asked the mom for a credit card number she could use to buy a CD online."

The loophole echoes a long history of security problems on AOL. AOL's chat rooms have been awash in password-stealing since at least 1994, when a software called AOHell automated the process, allowing users to troll dozens of names at a time. In 1995, AOL account-breakers discovered a way to bypass the service's password protection. (The San Francisco Chronicle reported that even Steve Case's account was compromised.) Through 1997 and 1998, they accessed high-level screen accounts for more than 30 AOL content areas.

What's remarkable is this latest incident appears to build on the accumulated knowledge of AOL's system. Our source cited a summary of the 1995 breaches that began circulating in 1997. "I am a student of AOL history," he joked. "I read all about the old hacks and used them as a basis for finding new ones." He estimated that since early November, the secret has been passed to dozens if not hundreds of people, with the knowledge spreading more widely most recently. ("About three people knew how to do it up until the first week of January.") He says he's now publicizing the hole in hopes of prompting an unresponsive AOL to close it.

AOL didn't return our request for a comment -- but the company's ongoing war with pranksters and malicious hackers has certainly left it aware of the dangers. The installation process for the AIM client reminds users that "privacy is very important on the Internet" -- and says, "Never reveal your password!"

By David Cassel

David Cassel is an Oakland, Calif.-based freelance writer covering the Internet and popular culture.

MORE FROM David Cassel

Related Topics ------------------------------------------