AOL Groups/AIM Information Disclosure Link Linkovich Sept 18, 2004 ---BACKGROUND--- *AIM/EMAIL When a user creates an AOL Instant Messanger(AIM) account they are asked to provide an email address for the purpose of recovering lost passwords. This email address is not published anywhere as a link to the screenname. AOL goes to great lengths to protect this email account. If a user desires to change their email address a confirmation is sent to BOTH the new address and the old address. The user must then wait 72 hours before the email change will take place. *AOL Groups AOL offers to AOL and AIM members a service called AOL Groups. Users may join public groups or may be invited to private groups. Any AOL member may create a group, AIM members may only join an exisiting group. When an AOL member creates a group, he/she is given the option to send out invites to AOL or AIM screennames. He/she simply only needs to know the screenname. An email invitation is then sent to the registered email of the user asking if he/she would like to join this group. ---PROBLEM DESCRIPTION--- The AOL group invite system is flawed in two ways. 1) There is no limit on how many invites you may send one person. A malicious user can flood a user with requests in minutes, creating a "mailbomb" from groups.aol.com. One such attack wrecked havoc on a Microsoft Exchange Server. 2) Once a user's mailbox is either full or the email server can no longer accept requests AOL returns the malicious attacker with a message to the effect of: "myemail@xxxxxxxxx can not be reached" ---RAMIFICATIONS---- Aside from the mailbomb and denial of service attack against a mail server this opens a huge information disclosure. The attacker now has an email account and the knowledge of a screenname to launch further attacks either via an email exploit or social engineering. ---VENDOR STATUS--- Detailed Information submitted to them several times since the inital "mailbomb". No responses. I'm sorry if I have not accurately described windows/messages throughout this text but I was on the receiving end of an attack. After three days of research I was finally able to piece together what took place. /Link/
