America Online's AOL Instant Messenger (AIM) -- specifically, version 4.7 of the immensely popular IM client -- can be forced into accepting new screen names or other functions from Web sites, e-mails and other venues that can use a specific HTTP tag, according to one IT group. Malicious hackers using the exploit can force users to join any chat room or to change their buddy icons, among other actions.
Mindflip.org says this can be done with the use of the "refresh" html tag, along with using the "aim:" http link and some JavaScript. The group's testing shows that this issue affects those people using the 4.7 client on Windows 9x, Me, 2000 and XW, as well as on the 4.5 version of the Macintosh OS9x/X.*. The AIM client available for Linux is not affected, mindflip.org said.
In the most benign effect of using the issue, a person notices that a new buddy or group of buddies has been added to his Buddy List. A Web site using the refresh code can load new buddies into a person's Buddy List in the same way that a user can if they click on a Web page link to do so.
AOL officials were not immediately available for comment on this story. Mindflip.org said it called AOL on the matter a few months ago and was told that the exploit was a feature that would not be removed from 4.7 but modified in future versions of the client. The group said version 4.8 of the client "has been modified to prompt the users when modifications to their (Buddy List) are about to take place."
InstantMessagingPlanet was only able to confirm that the exploit -- run from a mindflip.org test page -- does not work the same on the new AIM 5.0 beta as it does with AIM 4.7. With the 5.0 client, a box pops up asking the user to confirm if they want to add new screen names to his or her buddy list.
Interestingly, when we tested the issue from the Web browser in the AOL 7.0 proprietary client, it launched AIM 5.0 beta and asked to add the new screen names to the Buddy List. Mindflip.org said in some cases the AIM client launches automatically when the exploit is run.
More malicious hackers, through the use of refresh, "aim:" links and JavaScript code, can register a new screen name to a person's AIM client and force that user to log on with the new name, mindflip.org says. Other possible forced actions include:
- Launching and forcing users to join any chat room, including sexually oriented rooms
- Setting the buddy icon (think possible pornographic icons here)
- Automatically fetching a file from another AIM user -- generally, a user will receive a warning about this unless that feature already has been disabled
Also, as unscrupulous marketers can use the issue to force their own screen names onto Buddy Lists, they can force users to view marketing messages without giving them the option to decline it -- because that marketer is already on the person's Buddy List.
"With the use of a little JavaScript...one could potentially force many behaviors with one page load," mindflip.org says.
Of course, any and all new screen names can be deleted from a Buddy List once they're added by this issue. This can be problematic, though, for people who have hundreds of screen names on their list.
One way to partially avoid this issue is to download and use AOL's new version 4.8 of its client. At least then the user has the opportunity to decline the changes being made to a Buddy List.
Bob Woods is the managing editor of InstantMessagingPlanet.
Images
IE 7
Firefox 2.0
