Security Flaw Exposes 35 Million AOL Accounts

By Nate Mook and Craig Newell, BetaNews

January 22, 2003, 11:19 AM

UPDATED The accounts of millions of AOL subscribers were jeopardized this week due to a serious flaw in the company's Web-based mail system, BetaNews has learned.

The vulnerability stems from an error in one of AOL's international e-mail authentication systems, which granted users access without correctly verifying passwords. By simply entering an account name, an AOL user had the ability to read any other user's e-mail and all personal data contained therein.

Private correspondence suddenly became open for public perusal, and sensitive information such as passwords and account numbers were potentially exposed to prying eyes.

Although AOL plugged the security hole early Wednesday morning, it is unclear at this point how many AOL and AIM accounts have been compromised. A source who demonstrated the vulnerability to BetaNews indicated that scores of accounts had been infiltrated in just a short time.

The only accounts entirely spared from the snafu were those of AOL employees, as a SecurID code is required for such accounts, in addition to a password.

While security issues are nothing new to AOL, the scope of this vulnerability and the ease with which it was executed are particularly disconcerting. Such a security breach extends beyond just e-mail and opens the door for potential identity theft.

"There's two basic models of system security: Perimeter and Defense-In-Depth. Though no good system ever survives a weak perimeter, it's all too easy to suffer 'Candy Bar Security': Crunchy on the outside, soft and chewy on the inside," said Dan Kaminsky, security engineer for DoxPara Research. "Unfortunately, that's what hit AOL in this case. For whatever reason, AOL's mail servers were willing to grant access to user archives because they believed some trusted host at the perimeter had authenticated the necessary token -- the password."

The biggest risk lies in the connection between AOL and AIM. Because the messaging networks utilize separate databases, when an AOL account is created, an independently controlled AOL Instant Messenger account is also established with the same e-mail and password.

Anyone with access to a member's e-mail can easily request a reminder of their AOL Instant Messenger password, which in most cases would also grant complete control over the AOL account. This would allow even more personal information to be accessed including addresses and phone numbers.

According to reports, AIM accounts could also be hijacked by changing the password and e-mail address associated with the username.

The vulnerability does not directly affect ScreenName, the unified sign-on system deployed across AOL's Web properties. However, once a password is obtained, personal information stored on any ScreenName-enabled site is potentially at risk.

Major online players such as Microsoft with its Passport service, and the Liberty Alliance backed by AOL and Sun have been advocates of single sign-in technologies where a user only needs to log in once to access numerous services.

But with such a large repository of user data, security concerns become paramount. AOL has faced several major security breaches in the past, most notably in summer of 2000 when hackers were able to access the subscriber's information database that includes detailed customer records like credit card information.

AOL has confirmed the problem to third parties but has not responded to several requests for comment by BetaNews.