AIM Eavesdropping Hole
by george
I recently came into possession of a PowerBook G3.
In the process of loading software onto it, I installed AOL Instant Messenger. I'm an IM addict... I have huge buddy lists, it's my primary means of real time communication.
I noticed something odd when I started it up on the Mac. Unlike Yahoo! Messenger, it left me logged in on my Windows box. This doesn't seem right.
Further experimentation showed that if I receive a message when logged in on both, the message shows up on both computers. That seems really wrong.
While it requires your login credentials and local network access to exploit, you can eavesdrop on half the conversation. It's only the half your target receives, not what they send, but I've worked in military intelligence - you can reconstruct a large portion of the missing data if you read and analyze carefully.
You won't get the exact wording, but you will get the information itself.
I've developed three plans on how to exploit this.
A creative hacker could probably find more, and there are certainly variations on these basic attacks. In all of these scenarios, all computers logged in are presenting the same IP to the AIM servers, i.e., via a home router of some sort.
To my knowledge, this will not work outside of a single external IP situation. I pray to God it won't.
First scenario is the nosy roommate. In this scenario, someone you live with decides to spy on you. They guess your password, install a keylogger, brute force it, social engineer it "My AIM died and I need to get ahold of someone," or something of the sort. Then they can watch half of the conversation.
Second scenario is what I call the "weakest link." An attacker finds a computer on your home network that you aren't watching as carefully or using as much. They proceed to 0wn that computer via whatever means they have available. This will let them remotely monitor half the conversation, and likely won't get noticed as you aren't keeping this system secured, or using/scanning it as often as you do your main system.
Third, and potentially most dangerous, is the wardriving attack. The attacker secures your login credentials however they can, parks themselves across the street, and proceeds to watch as in the nosy roommate situation. This is the hardest to detect unless you are watching your access logs.
To protect against this is simple.
First, follow good password practices. Hard to guess, numbers and letters, caps and lowercase, and never tell it to anyone. It should only be entered into the AIM software or website to access AIM services, and should not be stored. Make it hard to get your password and, unless you've really pissed someone off, they will give up on you and find an easier target.
Second, your network is only as secure as the least secure computer. Keep all systems that are attached to the network, no matter how insignificant, fully patched and regularly scanned. An attacker only needs to compromise one system to gain access.
Third, if you use a wireless network, secure it. Don't set it up where anyone with a wireless card can DHCP and access the net from your WAP. Watch your WAP's access logs regularly as well to determine if there are any attempts (especially successful ones) to access the network without your permission.
AOL could fix this easily.
They just have to fix AIM so that, like Yahoo! Messenger, you get logged out of your current session if you log in again. It shouldn't require you to be behind a different IP to log you out - any login should end your current session immediately.
While that won't prevent someone from accessing your account, it will at least make it much harder to do so without being noticed.