SecureMac, Inc.

AIM Password Stealing, My AIM Password is incorrect. AIMThief 5.2 for Macintosh

August 6, 2001

published: 08.31.2001
remote: Yes
updated: yes
vulnerable: all aim accounts under 10 characters

The security issue was addressed by AOL and to this date does not remain a concern.

Information

Has your AOL Instant Messenger (AIM) account password come up as invalid and you are sure that you entered it correctly? Figure that your account was hijacked by someone using the program AIMThief 5.2 for the Macintosh.

Hackers found a hole in the protocol used by AIM that lets them remotely change any users passwords if the user name is 10 characters of less.

After the AIM account …

AIM Password Stealing, My AIM Password is incorrect. AIMThief 5.2 for Macintosh

published: 08.31.2001
remote: Yes
updated: yes
vulnerable: all aim accounts under 10 characters

The security issue was addressed by AOL and to this date does not remain a concern.

Information

Has your AOL Instant Messenger (AIM) account password come up as invalid and you are sure that you entered it correctly? Figure that your account was hijacked by someone using the program AIMThief 5.2 for the Macintosh.

Hackers found a hole in the protocol used by AIM that lets them remotely change any users passwords if the user name is 10 characters of less.

After the AIM account was hijacked the attacker logged into it and continued to hijacked all of the people on my buddy list disrupting the buddy system causing people to create new accounts and lose their long list of friends and family. The program to hijack the accounts is both for Windows and Macintosh platform.

After the account was hijacked we tried to use the AIM password retrieval process and although it stated the password was e-mailed to our account we never received the information.

Technical Details

AIMThief tries to access a AIM account, once a name is inputted, it will sign onto AOL. Using the AOL 2.7 P3 protocol, and language called FDO88, it attempts to make a new temporary account (using the aH token) with the name for the AIM you want to steal. If the new account is successfully made, the program accesses an AOL keyword (“aimpass”) and ultimately changes the password to the AIM account. This is done through chicanery to AOL’s servers to fool it into thinking the AIM doesn’t exist and thereby “creating” the account with the password the attacker specifies.

aimthief

Recovering AIM accounts: The E-Mail reminder process offered by AIM does not work after the account is hijacked.
Calling AOL lead to us being told they did not support AIM because it was a free service.E-Mailing technical support in regards to the problem got us no response.

Tips

Create a username of 11 characters or more, export your current list and re-import into new account. Do this before your account gets hijacked. Do not think that just because you do not know ‘hackers’ this will not happen to you, hacks happen to the best of us. A friend of a friend of a friend may lead to you, imagine it as a virus – how it spreads through email, except this is manually by a hacker causing chaos.

Get the latest security news and deals