Originally published on February 23rd, 2001 on Techweb
Two months after a wave of remote break-ins plagued users of America Online’s popular Instant Messenger service (AIM), security experts say AIM’s central server is still not adequately protected from either client- or server-side hacks. Assuming they’re right, the growing number of AIM business users could be opening their corporate communications to eavesdroppers on private conversations, even to sophisticated intruders who can impersonate other users.
For its part, AOL insists that the AIM clients have been recently patched. The company also maintains that the most frequent cause of client-side attacks — namely, the buffer overflow exploit — is no longer an issue, and that recent reports of server-side attacks are mainly "isolated, speculative, and anecdotal issues that we hear from time to time."
But several IT security experts disagree. Kurt Seifried, for example, a security analyst with online security consulting firm SecurityPortal.com, characterizes the AIM server as "very vulnerable" and says, "Beyond the fundamentals, AOL is spending very little time on security for the server."
Any security weaknesses on AIM could pose serious threats to the service’s growing business user base. Among AIM’s 27 million total users today are some 5.5 million corporate clients who have begun relying on the service to link remotely dispersed employees, estimates IDC. And by 2004, the market research company forecasts, that number will reach 180 million business users.
Vulnerabilities In Detail
One innate vulnerability of the AIM scheme lies in the fact that all its messages and transactions are transmitted in clear text — unencrypted and unsigned — making them completely legible once intercepted. "All the traffic of AIM is unencrypted and goes through the AOL server," noted Elias Levy, Chief Technology Officer of SecurityFocus.com, "so hackers can easily listen in and get what they need to abuse the client."
Security consultants say the most persistent security breaches of AIM from 1997 to the present have fallen into two broad categories: buffer overflow and password theft.
Buffer overflow accounts for most of the hacks, experts say. It lets hackers remotely crash a computer system — or even execute local commands on a victim’s desktop — by sending a certain set of characters to an AIM client.
Password theft is less common, but potentially more damaging. When this occurs, an intruder confiscates the password of another AIM user and then uses it to impersonate password’s true owner in AIM messaging sessions.
One unusual fact makes buffer overflow especially pernicious: The AIM client does not even need to be running. Instead, once the client is installed, it’s vulnerable, so long as the user’s PC and Web browser are running. That’s because AIM commands are sent to a user in the form of a URL bearing the "aim://" identifier tag, as opposed to the "http://" that identifies Web pages. The command is first processed by the user’s Web browser, which then awakens the AIM client. Inside the command is enough non-interpretable characters — what programmers call garbage — to overflow the AIM client’s buffer.
AOL has shown some willingness to fix the buffer overflow problem. For example, in December, after @Stake (Cambridge, Mass.), an Internet security consulting firm, issued a security advisory about the buffer overflow problem, AOL responded by upgrading its AIM client. An AOL spokesman says the company will continue to fix AIM security problems on a case-by-case basis. "Our latest client is the most secure one to date," he says, "and we intend to continue providing a more robust and more secure client as time goes on."
But security experts argue that new kinds of buffer-overflow attacks are still possible. They point out that AOL’s fixes filter only garbage commands that have already been reported to AOL, leaving the AIM service vulnerable to other possible instances. In fact, Weld Pond, @Stake’s R&D manager, says his company’s repeated security bulletins regarding new buffer overflow attacks prove AOL isn’t using secure policies. "It’s like finding that one of your windows has no lock," he says of AOL’s actions, quot;and then not going around to check the other windows."
One consultant who actually developed security software for AOL agrees. From 1997 to 1999, Mike Shinn was a senior network security engineer at Cisco Systems, which at the time was under contract with AOL to develop security software for AIM user accounts (Shinn is currently a principal partner at The Shadow Group, a Washington, D.C., security consulting firm). Shinn says his group was instructed by AOL to not implement in their software any defensive measures. Instead, he adds, AOL told them to simply record instances of security breaches. "They [AOL] didn’t want the software to react to the problem, they didn’t want to stop it per se," he recalls. "They just wanted the software to tell AOL there was a problem — that someone was trying to break into an account."
Password theft, the other main category of AIM hack, is a security risk may lurk entirely within the AIM server. So asserts one self-described AOL hacker, who says he was able to trick the AOL server into converting an AIM user account into an AOL user account. This, in turn, let him change the account’s password, locking out the authentic user. From there, he could log onto AIM using the hijacked password and impersonate that user.
"Some of my buddies used the hijacked AIM accounts to carry on fake conversations with the friends of the person who originally owned it," the hacker says. "The conversations resulted in my buddies tricking the real owner’s friends into providing personal information, even credit card information. People have no reason to believe that accounts have been hacked unless the real owner notifies them."
The hacker maintains that upgrading to the most recent version of AIM solves nothing. "Most of the exploits are what we call server-side hacks, which means the software client has nothing to do with the hack at all," he says. "Buffer overflow was the only major hack that involved the actual client software."
Such exploits have been confirmed by others, who point to evidence of possible damage caused by AIM password theft. Habeeb Dihu, a senior principal at e-business consulting firm DiamondCluster International (Chicago, Ill.), says his AIM user ID — "MacGyver" — was hijacked. The result jeopardized a major business negotiation, he says.
"I was working on the Covisint deal," Dihu said, referring to the B2B exchange recently developed by General Motors, Chrysler, Ford, Oracle, and Commerce One. "Somewhere in the middle of the deal, my AIM screen ID got hacked. Someone masqueraded as me and started to talk to my co-workers." (Hackers say that so-called vanity names — such as "MacGyver" — are often the first choice for an attack.)
Dihu immediately alerted both his co-workers and AOL regarding the password hijack, but he says AOL’s tech support was unresponsive and eventually ignored him altogether. Only after Dihu reported his case to the press did he receive his first AOL response — from the company’s director of press relations. "Relative to how much AIM is used in the corporate world," Dihu adds, "the security behind this thing is abysmal."
Some security experts say server-side hacks don’t constitute a real threat. "To my knowledge, there have been no successful attacks — other than possibly denial-of-service attacks — against the AIM servers," says Levy of SecurityFocus. But even Levy concedes that a security hole could be discovered on the AIM servers. "Such a hole," he adds, "may compromise the communications of all AIM users."
An AOL spokesperson stated his company does not comment on the intricacies of its security system, and that it endeavors to maintain "very high standards of safety, security, and privacy" for its users. However, the spokesperson dismissed reports of server-side security breaches as involving mainly "anecdotal, unrecognizable, and unreplicable glitches that are reported from time to time." When asked to respond to experts’ characterizations of AOL’s approach to handling security breaches as low-key, the spokesperson stated he would "vigorously dispute and reject those kinds of conclusions as speculation."
What Can Users Do?
To be sure, say security experts, companies using AIM for business communication should be aware that AOL — unlike a telephone provider — has no legal responsibility for securing communication over its services. "Unlike the phone, AOL IM is unregulated and insecure," says Pond of @Stake. "You’re sending your communication in the clear over the Internet to AOL’s server and back, whether you’re talking to someone in a remote location or in the office next door. People think of it as the phone, but they shouldn’t."
Pond recommends that companies set up security policies at the corporate level and implement their own in-house security evaluations to take into account the vulnerabilities of software — including AIM — running on all their platforms.
"If you just want to talk to people in your company," said David Cassel, editor of the AOL Watch Newsletter, "you’re better off using some other piece of software that wouldn’t be under as much scrutiny from hackers."
"If you must use AIM, spend as little time as possible on it," added Cassel. "When I’m through with my messaging conversation, I close out the software in both my window and my tray. Yes, I can’t be messaged. But I also can’t be hacked."