AOL Instant Messenger is hacked

Three 17-year-olds take credit for inserting pornographic images into America Online's widely used chat service.

Published April 27, 2002 10:28PM (EDT)

Users of the latest version of AOL's Instant Messenger (AIM) software started encountering an unpleasant surprise on Saturday morning: At least three crackers -- malicious hackers -- began inserting pornographic images into "AIM Today" and vandalizing content on at least four screens of the chat software.

Since last August, users who launched the latest versions of AIM also launched an informational "AIM Today" window -- but as late as 4 pm PST Saturday, if users clicked on the "entertainment" link on AIM Today, followed by a click on any of the following three links advertising the chance to "Meet New People" who wanted to discuss the categories of "Celebrities," "Soap Operas" or "Comedy," they would pull up pages displaying pornography, as well as sound files apparently containing messages from the two crackers ("Yeah, fuck you, Sirk owns this shit" -- "This is Neon, fuck you Sirk").

No matter which of the top three "Meet New People" categories are chosen, the content appears to have gone haywire. At the Celebrities link, a series of four pornographic images cycles in an animated GIF. On the Soap Operas link, a Prodigy song plays in the background as a MIDI file. On the Comedy link, below a fifth pornographic image, are pointers to the Aryan group National Alliance.

The chatter and X-rated images appeared next to ads for TV shows broadcast on the AOL-owned Warner Brothers network, including "Charmed" and "Felicity." AOL officials did not return phone calls over the weekend, but the incident occurred at the same time as the AIM home page was boasting: "Potential AIM Security Issue Resolved."

An online chat interview with one of the crackers, who identified himself as Sirk, gave some clues as to the methodology. When new members join the AIM service, they can apparently include HTML code in their screen names. That code can include tags that call off-site images and sound files or display text -- material that appears where the screen name should appear listed under "Meet New People."

Sirk -- whose name appears throughout the cracked pages -- identified himself as one of three 17-year-olds from Connecticut who had been studying AIM for security holes. "I'm surprised somebody hadn't thought of doing it sooner," he messaged, "knowing that the AIM Today 'meet new people' section is all done through [HTML] links." He says he hopes to write computer programs that will automatically generate the code to insert images and text into AIM Today -- or even re-route AIM Today visitors to a Web page fishing for their password and screen name.

This is not the first time AIM has experienced security holes. Two years ago users discovered that their AIM accounts could be hijacked if the corresponding AOL screen name was not already taken. Sirk taunted AOL for their apparent security holes and their restrictive Terms of Services, but his motives appeared simple: "I'm doing it because I can, and I will." But he did offer a bombastic message for AOL.

"I'm only hoping that they are upset, and realize that they can't just program everything like 7th graders."

He also had a message for AIM users worried about security: "Before using AIM, they should do a little research and find out that this is all part of the territory," said Sirk. "If you are using a program that's got as many loopholes and gaps as Swiss cheese, then prepare for the consequences."

By David Cassel

David Cassel is an Oakland, Calif.-based freelance writer covering the Internet and popular culture.

MORE FROM David Cassel

Related Topics ------------------------------------------