Security Flaw Exposes AOL Accounts

Editors Note: This story originally ran on BetaNews.com and appears on eWEEK with the sites permission.

The accounts of millions of AOL subscribers were jeopardized this week due to a serious flaw in the companys Web-based mail system, BetaNews has learned.

The vulnerability stems from an error in one of AOLs international e-mail authentication systems, which granted users access without correctly verifying passwords. By simply entering an account name, an AOL user had the ability to read any other users e-mail and all personal data contained therein.

Private correspondence suddenly became open for public perusal, and sensitive information such as passwords and account numbers were potentially exposed to prying eyes.

Although AOL plugged the security hole early Wednesday morning, it is unclear at this point how many AOL and AIM accounts have been compromised.

The only accounts entirely spared from the snafu were those of AOL employees, as a SecurID code is required for such accounts, in addition to a password.

While security issues are nothing new to AOL, the scope of this vulnerability and the ease with which it was executed are particularly disconcerting. Such a security breach extends beyond just e-mail and opens the door for potential identity theft.

“Theres two basic models of system security: Perimeter and Defense-In-Depth. Though no good system ever survives a weak perimeter, its all too easy to suffer Candy Bar Security: Crunchy on the outside, soft and chewy on the inside,” said Dan Kaminsky, security engineer for DoxPara Research. “Unfortunately, thats what hit AOL in this case. For whatever reason, AOLs mail servers were willing to grant access to user archives because they believed some trusted host at the perimeter had authenticated the necessary token—the password.”

The biggest risk lies in the connection between AOL and AIM. Because the messaging networks utilize separate databases, when an AOL account is created, an independently controlled AOL Instant Messenger account is also established with the same e-mail and password.

Anyone with access to a members e-mail can easily request a reminder of their AOL Instant Messenger password, which in most cases would also grant complete control over the AOL account. This would allow even more personal information to be accessed including addresses and phone numbers.

According to reports, AIM accounts could also be hijacked by changing the password and e-mail address associated with the username.

The vulnerability does not directly affect ScreenName, the unified sign-on system deployed across AOLs Web properties. However, once a password is obtained, personal information stored on any ScreenName-enabled site is potentially at risk.

Major online players such as Microsoft with its Passport service, and the Liberty Alliance backed by AOL and Sun have been advocates of single sign-in technologies, where a user only needs to log in once to access numerous services.

But with such a large repository of user data, security concerns become paramount. AOL has faced several major security breaches in the past, most notably in summer of 2000 when hackers were able to access the subscribers information database that includes detailed customer records like credit card information.

AOL was unavailable for comment at press time.