Problem AIM forced behavior "issue": The 4.7 version of the official AIM client can be force into performing functions when the user loads a web page created with specific code in the META HTTP-EQUIV="refresh" html tag. Versions affected Testing has shown that this "issue" effects anyone running the 4.7 version of the official AIM client on win 9x, Me, XP, 2000, or the 4.5 version on Mac OS9/X*. The AIM client available for Linux is not effected. Perhaps it effects others as well... NT?, CE? Symptoms When you load a web page you may notice a new group, buddy, etc.. has been automatically added to your buddy list. Cause The AIM client apparently will allow HTTP REFRESH to "push" an aim: link using the following format: <META HTTP-EQUIV="refresh" CONTENT=4;URL=aim:goim?screenname=mybuddy&message=buch_of_stuff_here> Effects A web page can be created with HTTP REFRESH code which will result in the AIM client performing the same function it would if a user had clicked directly on an aim: link. Example <META HTTP-EQUIV="refresh"CONTENT=0;URL=aim:addbuddy?listofscreennames=mindfliporg,mfliporb,mflipmax,mflips0nic,mflipzorcon&groupname=mindfliporg> A web page loaded with the above code in it's META REFRESH tag would automatically add a group to the users buddylist called mindfliporg and add buddy's mindfliporg, mfliporb, mflipmax, mflips0nic, mflipzorcon to the group. Status I placed a call to AOL months ago and was informed that this was a "feature" and would not be removed from future versions but may be "modified" in future versions. The latest version (4.8 at this time) has been modified to prompt the users when modifications to their buddylist are about to take place. History On a whim I decided to send someone an AIM greeting card. On the last page of that process AOL goes ahead and pops up an AIM window with an IM going to the SN for the person you have specified to receive the card. The IM says something to the effect of "You've got a greeting, click here." . Convenient, this way all you have to do is hit send and it will IM the person to let them know. This greeting card page popped up the window automatically, I didn't have to click any links or OK anything, just load the page. If AOL can pop up a new IM window automatically with a web page, so can anyone else. Simply popping up and AIM window was only the beginning and prompted me to do further testing which resulted in the writing of an article which was edited down and turned into this message. Credits Brian Foy Jr. ( Orb ) orb@mindflip.org < http://www.mindflip.org > This report is, in article form, also available at: http://www.mindflip.org/aim.html Best regards, Orb mindflip.org - Tech Collective
