Vulnerability Development mailing list archives
RE: In regards to the insecurity of AOL Instant Messenger
From: Jason Barbour <jbarbo1 () umbc edu>
Date: Tue, 6 Aug 2002 14:58:37 -0400
Does the AIM protocol have any kind of authentication to defeat MiM attacks whereby an attacker couldn't drop himself in the middle and log all outgoing conversations and change the actual conversation if he wanted? I don't know much about the protocol and I'm pretty sure it's closed source, but has enough work been done by researchers into the protocol to determine if this is possible. It seems to be it would be trivial for AOL's server to have a random id generated upon every successful login attempt by a user that would need to be included with every message and action on the client side in order for it to register. This would at least prevent an attack by hopping into the middle of a conversation and would require a more extensive attack by being in the middle for the initial login.
A good document on AIM/Oscar can be found at aimdoc.sourceforge.net/OSCARdoc It appears that when you signon you first connect to an authorization server, which issues you a cookie to logon to the other servers. With this, isn't still possible for man-in-the-middle attacks? On a side note, I guess it could be possible to write a simple encryption tool, that just encrypted your message and sent the encrypted results. Just a pain that each person would need to have the tool and any needed keys. Could be a nifty little tool in my opinion. --- Jason
Current thread:
- Re: In regards to the insecurity of AOL Instant Messenger, (continued)
- Re: In regards to the insecurity of AOL Instant Messenger Nick Lange (Aug 06)
- Re: In regards to the insecurity of AOL Instant Messenger moksha faced (Aug 06)
- Re: In regards to the insecurity of AOL Instant Messenger Alex Lambert (Aug 06)
- Re: In regards to the insecurity of AOL Instant Messenger Alex Lambert (Aug 06)
- Re: In regards to the insecurity of AOL Instant Messenger Bojan Zdrnja (Aug 07)
- Re: In regards to the insecurity of AOL Instant Messenger Nick Lange (Aug 06)
- Re: In regards to the insecurity of AOL Instant Messenger H C (Aug 06)
- Re: In regards to the insecurity of AOL Instant Messenger John Scimone (Aug 06)