Re: Ability to read buddy list of AIM users

["Andrew J. Stackhouse" <ajs () codewolf com>]

Actually on my Win2k install (AIM version 4.7.2480), the file is in:
C:\Documents and Settings\<w2k user name>\Application Data\Aim\<AIM User
Name>

which would not be accessable by anyone but the user or someone with
Administrator's rights



----- Original Message -----
From: "sunny licious" <sunnylicious () hotmail com>
To: <bugtraq () securityfocus com>
Sent: Monday, April 15, 2002 11:30 AM
Subject: Ability to read buddy list of AIM users


> Ive been able to do this on publicly accessible
>  computers...such as university labs...You can see
>  the buddy list of other people who have signed on to
>  AIM on that computer. On win2k in the folder named
>  winnt/AIM95/"screenname" there is a file called
>  userinfo.bag which stores all the names on your
>  buddy list...all you have to do is traverse to a different
>  screenname directory and open up the file with any
>  editor. In win XP the folder is in
>  winnt/system32/aim95. This pretty much works on
>  any OS although I havent tried linux and Mac yet.
>  Although this may not be a serious threat, its pretty
>  much a violation of privacy...and that is a right we all
>  have correct?? corrrect..Its pretty easy for anyone
>  being nosy to start harrasing people on your buddy
>  list. I hope this isnt a repost. Contacting AOL also
> pretty much all that needs to be done is check out the
> aim95 folder for a file called userinfo.bag