Re: [Full-Disclosure] AOL refuses to help AIM users
From: ATD (simon@snosoft.com)
Date: 02/04/03
- Previous message: ATD: "[Full-Disclosure] AOL refuses to help AIM users"
- Maybe in reply to: ATD: "[Full-Disclosure] AOL refuses to help AIM users"
- Next in thread: Rick Updegrove: "Re: [Full-Disclosure] AOL refuses to help AIM users"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: ATD <simon@snosoft.com> To: Juraj Bednar <juraj@bednar.sk> Date: 03 Feb 2003 21:45:28 -0500
Juraj,
I would love to make it public however I am not sure as to what the
actual vulnerability is. What I do know is that it allowed a the
attacker to "take over" the users account. In the process the attacker
was able to change the users password. The users client was GAIM, I am
not sure of the version as of yet. The perplexing/concerning part of
this is they did not require the user to be on-line for the account
compromise. They can apparently change the password on the AIM database
whenever they want, which makes me wonder if it has been compromised.
Like I said, AOL was not interested in discussing this with me, even
after I identified myself. Their clam was because I was not a paying
customer.
Also take note, my last message and this one are both being carbon
copied to both toc@aol.com and abuse@aol.com, but to no avail.
On Mon, 2003-02-03 at 21:39, Juraj Bednar wrote:
> Hello,
>
>
> make the vulnerability public, static why you did not communicate with
> vendor. It's their problem. Would be pretty bad press for them.
>
>
> J.
>
> > All,
> > Has anyone on this list ever tried to report a security issue to AOL? I
> > just tried to do that and was literally told, "Corporate policy states
> > that we do not help our free users.". I said, "I suppose thats because
> > you don't make any money off of the free users". The man on the other
> > end of the line being their security expert then stated, "thats right".
> > Is this how they treat their prospective clients, end users, and free
> > users? What can we do about this?
> >
> > --
> > ATD <simon@snosoft.com>
> > Secure Network Operations, Inc.
-- ATD <simon@snosoft.com> Secure Network Operations, Inc.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- application/pgp-signature attachment: This is a digitally signed message part
- Next message: Joerg Mayer: "Re: [Full-Disclosure] GROUP CONSIDERING SUIT AGAINST MICROSOFT OVER SLAMMER VIRUS"
- Previous message: ATD: "[Full-Disclosure] AOL refuses to help AIM users"
- Maybe in reply to: ATD: "[Full-Disclosure] AOL refuses to help AIM users"
- Next in thread: Rick Updegrove: "Re: [Full-Disclosure] AOL refuses to help AIM users"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
