Vulnerability Development mailing list archives
Re: In regards to the insecurity of AOL Instant Messenger
From: "Nick Lange" <nicklange () wi rr com>
Date: Tue, 6 Aug 2002 12:31:55 -0500
Trillian allows SSL over AIM protocol [or did allow in .72, haven't checked the RC1 release yet]. lICQ allowed SSL over ICQ as well... so it's there if you're willing to use alternative clients, but most people don't. nick ----- Original Message ----- From: "Alex Lambert" <alambert () webmaster com> To: "Adam Carr" <itsacarr () adelphia net>; <vuln-dev () lists securityfocus com> Sent: Tuesday, August 06, 2002 11:15 AM Subject: Re: In regards to the insecurity of AOL Instant Messenger
Now my question, is how secure are normal "ims" on AIM. How difficult = would it be to listen to anothers msgs and if at all possible, how could
=
this be fixed.=20"msgsnarf records selected messages from AOL Instant Mes- senger, ICQ 2000, IRC, MSN Messenger, or Yahoo Messenger chat sessions." (msgsnarf(8) manpage) AFAIK, none of the above protocols are usually encrypted. dsniff (http://www.monkey.org/~dugsong/dsniff/dsniff-2.3.tar.gz) can pick them
up.
apl ----- Original Message ----- From: "Adam Carr" <itsacarr () adelphia net> To: <vuln-dev () lists securityfocus com> Sent: Monday, August 05, 2002 5:58 PM Subject: In regards to the insecurity of AOL Instant MessengerAfter seeing the recent emails about the hide windows while away = function while I don't quite understand that as a security threat this = does remind me of other insecurities of AIM and some questions I had as
=
well. The first threat to AIM users that I am aware of and have tested myself
=
is under Direct Connects with another user. With a targets ip, it is not
=
difficult at all to intercept the dcc's messages and to input your own.
=
Quite frightening. A simple fix is to change the port which AIM direct = connects on. Seeing as how my explanations are not that great I invite = anyone else who is aware of this to explain that flaw in AIM. Now my question, is how secure are normal "ims" on AIM. How difficult = would it be to listen to anothers msgs and if at all possible, how could
=
this be fixed.=20 I know AIM has\had it's share of other vulnerabilities so please speak = up if you know of any. Thanks ... Cheers ... Adam
Current thread:
- In regards to the insecurity of AOL Instant Messenger Adam Carr (Aug 05)
- Re: In regards to the insecurity of AOL Instant Messenger Alex Lambert (Aug 06)
- Re: In regards to the insecurity of AOL Instant Messenger Nick Lange (Aug 06)
- Re: In regards to the insecurity of AOL Instant Messenger moksha faced (Aug 06)
- Re: In regards to the insecurity of AOL Instant Messenger Alex Lambert (Aug 06)
- Re: In regards to the insecurity of AOL Instant Messenger Alex Lambert (Aug 06)
- Re: In regards to the insecurity of AOL Instant Messenger Bojan Zdrnja (Aug 07)
- Re: In regards to the insecurity of AOL Instant Messenger Nick Lange (Aug 06)
- Re: In regards to the insecurity of AOL Instant Messenger Alex Lambert (Aug 06)
- Re: In regards to the insecurity of AOL Instant Messenger H C (Aug 06)
- <Possible follow-ups>
- RE: In regards to the insecurity of AOL Instant Messenger jbarbo1 (Aug 06)
- Re: In regards to the insecurity of AOL Instant Messenger John Scimone (Aug 06)
- In regards to the insecurity of AOL Instant Messenger mike (Aug 06)
- RE: In regards to the insecurity of AOL Instant Messenger Seth Knox (Aug 06)
- RE: In regards to the insecurity of AOL Instant Messenger Jason Barbour (Aug 06)