[NEWS] AOL Journals BlogID Incrementing Discloses Account Names and Email Addresses

• Previous message: SecuriTeam: "[REVS] Bypassing Client Application Protection Techniques"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 1 Nov 2004 11:08:31 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  AOL Journals BlogID Incrementing Discloses Account Names and Email
Addresses
------------------------------------------------------------------------

SUMMARY

AOL Journals is basically "America Online's version of a blog (weblog) for
AOL members/subscribers (excludes AIM users). It allows them to post
messages by logging into the service or by sending an instant message to
the screen name 'AOL Journals'".

A vulnerability in AOL Journals BlogID allows an attacker to numbers
provided to the program and enumerate a list of AOL members/subscribers
and their corresponding email.

DETAILS

The issue lies within the Atom/RSS feed option for users. There is a link
on the journals that would allow users to get an Atom or RSS feed for that
weblog. The webpage that pops up containing these links to the feeds
displays the full path to the user's feed (which includes their username,
which is subsequently their e-mail address). The link to the feeds,
however, does not use the username in conjunction with the blog name.
Instead it uses a BlogID number which appears to just be incremented as
blogs are created.

Impact:
As a result an attacker could increment through the numbers and obtain
thousands of user e-mail addresses. This flaw is especially noteworthy due
to the easy and speed at which an attacker could obtain the usernames.
Also, the username and blog names could be easily traversed through to
gain information on the user that could be used in conjunction with
targeted SPAM among other things.

Example:
Here is an example of the URL:
http://journals.aol.com/_do/rss_popup?blogID=#

Obviously replace # with a number. The current/newest ID# is in excess of
700000. Some numbers will return an error (they no longer exist) or they
will be for the same username. If a user chooses to create a new blog it
will start a new BlogID.

Workaround:
Don't tie the BlogID feed into the Atom/RSS feeds.

ADDITIONAL INFORMATION

The information has been provided by <mailto:steven@lovebug.org> Steven.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[REVS] Bypassing Client Application Protection Techniques"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]