Macintosh Security Site -> AIM Password Stealing, My AIM Password is Incorrect. AIMThief 5.2 for Macintosh

Site Information

	About this site
	Site Background
	Who runs the site
	Advertising
	Security Consulting
	Employment/Jobs
	Feedback Form

SecureMac Software

	MacScan
	PrivacyScan

Mac OS X Security

	Root Shell in 4 steps with setuid apps
	sudo buffer overflow exploit + fix
	Disable Single User Boot Mode
	Malevolence - Dumping Passwords
	nidump security
	Startup Security - Open Firmware Password Protection

Mac OS X Network Security

	OpenSSH for Mac OS X
	SAINT
	Secure FTP Wrapper
	Ettercap - sniffer interceptor logger
	Snort - Network Intrusion Detection System
	SSH Admin
	SSH Helper
	xnu - enable MAC Address spoofing

Mac OS X Virus

Virex for Mac OS X - Command Line Scanner

Mac OS X Firewalls

	BrickHouse Firewall Utility
	Firewalk Firewall Utility
	NetBarrier X

Mac OS X App Sec.

Timbuktu OS X Preview Security Advisory + Fix

Mac OS X Encryption

	LittleSecrets
	Crypt for Mac OS X
	GPGMail - PGP Functionality

Mac OS X DoS

Mac OS X CGI Flaw

SecureMac Library

	Data Loss Prevention & Recover
	Mac Cable Modem Security
	Mac Security Auditing
	Mac OS X Security Understanding
	Mac OS X Security Second Lessons
	Mac OS X Security Third Lesson
	Mac OS X Single User Mode Root Access
	Mac OS X Shareware Firewalls
	Mac OS X Secure Installation
	Cable & DSL Connections - Security Measures
	Better Safe than Sorry
	Apple.com Security Resources
	Marketing Macintosh Security Programs

AIM Security Advisory
(AIMThief/Advisory)

AIM Security Advisory
w/ AIMThief 5.2

published: 08.31.2001
remote: Yes
updated: yes
vulnerable: all aim accounts under 10 characters

The security issue was addressed by AOL and to this date does not remain a concern.

Information: Has your AOL Instant Messenger (AIM) account password come up as invalid and you are sure that you entered it correctly? Figure that your account was hijacked by someone using the program AIMThief 5.2 for the Macintosh.

Hackers found a hole in the protocol used by AIM that lets them remotely change any users passwords if the user name is 10 characters of less.

After the AIM account was hijacked the attacker logged into it and continued to hijacked all of the people on my buddy list disrupting the buddy system causing people to create new accounts and lose their long list of friends and family. The program to hijack the accounts is both for Windows and Macintosh platform.

After the account was hijacked we tried to use the AIM password retrieval process and although it stated the password was e-mailed to our account we never received the information.

Technical Details:

AIMThief tries to access a AIM account, once a name is inputted, it will sign onto AOL. Using the AOL 2.7 P3 protocal, and language called FDO88, it attempts to make a new temporary account (using the aH token) with the name for the AIM you want to steal. If the new account is successfully made, the program accesses an AOL keyword ("aimpass") and ultimately changes the password to the AIM account. This is done through chicanery to AOL's servers to fool it into thinking the AIM doesn't exist and thereby "creating" the account with the password the attacker specifies.

AIMTHIEF Macintosh AIM Password Thief
screenshot provided by anonamac via e-mail.

Recovering AIM accounts: The E-Mail reminder process offered by AIM does not work after the account is hijacked.
Calling AOL lead to us being told they did not support AIM because it was a free service.
E-Mailing technical support in regards to the problem got us no response.

Tips:
Create a username of 11 characters or more, export your current list and re-import into new account. Do this before your account gets hijacked. Do not think that just because you do not know 'hackers' this will not happen to you, hacks happen to the best of us. A friend of a friend of a friend may lead to you, imagine it as a virus - how it spreads through email, except this is manually by a hacker causing chaos.

FEEDBACK TIME!

Enter Email Address:

Enter your message:

Select Either of These Two Buttons

Security + OS

	AtEase
	DiskLock
	PowerBook Security Control Panel
	Empower Pro
	FileGuard
	FreeGuard
	FoolProof
	Deus Lock Master
	OnGuard
	Keys Off
	LockOut
	MacOS Algorithm
	Modem Security
	Password Key
	PGPuam
	PPF
	Shift Key Suite
	Stealth Signal
	SuperLock Lite
	SuperLock Pro
	Web-Confidential

Macintosh Viruses

	Agax 1.3
	Disinfectant
	Sophos Anti-Virus
	Norton AntiVirus Nav 7 Nav 6 Nav X
	Virex - Oct
	VirusBarrier - Netupdate
	vScan - Discontinued.

Mac Physical Security

SecurityWare

Macintosh Firewalls

	ContentBarrier
	DoorStop Firewall
	Firewall Q & A
	IPNetSentry
	NetBarrier
	Norton Personal Firewall

Mac Spyware & Privacy

	TypeRecorder
	Monitorer
	NetShred - Delete Files Safely

Network Security

	AppleTalk
	MacAnalysis
	Oyabun Tools
	WDTech RAE
	ToolDaemon

Application Security Issues

	America Online
	AIM - AOL Instant Messenger
	Back Orifice
	Eudora E-Mail Client
	Internet Configure
	IE 5.1, OE 5.1, Powerpoint, Excel Vulnerability
	MS Personal webServer
	NetBus
	Outlook Express 4.5 Password Flaw
	SubSeven
	Sub7ME Server

Resource Info

	ResEdit
	AppleShare Server Info

Mac OS Encryption

	Enigma
	EnScript
	FGP
	FileTwister
	ForgotIt?
	GenPass
	MacLockSmith
	My-Privacy
	My Secret
	PGPi
	PGPhone
	PGP Personal
	PGP Freeware
	PowerCrypt-dev
	Private File
	Quick Encrypt
	SubRosa Utilities
	Tresor

Deleting Files

	Burn 2.5
	Eraser Pro
	ShredIt

Backups

Tri-BACKUP

Apple Hardware

Apple LaserWriter

MacOS DoS

	GrouchySmurf
	Mac Attack