<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2900.2523" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>Vendor: America Online
Inc.<BR>Date: January 1,
2005<BR>Issue: AOL's Online Password Reset feature does not
fully validate user information<BR>URL: <A
href="http://www.aol.com">http://www.aol.com</A> <BR>Advisory: <A
href="http://www.lovebug.org/aolpwreset_advisory.txt">http://www.lovebug.org/aolpwreset_advisory.txt</A></FONT></DIV>
<DIV> </DIV><FONT face=Arial size=2>
<DIV><BR>Service Overview:</DIV>
<DIV> </DIV>
<DIV>This report is in reference to the Online Password Reset that exists for
the AOL client for paying user accounts and not AOL Instant Messenger. I
think chances are if you're reading this, you should be familiar that AOL is
still the world's largest Internet Service Provider.</DIV>
<DIV> </DIV>
<DIV>Issue:</DIV>
<DIV> </DIV>
<DIV>AOL has an Online Password Reset feature that enables users that have
forgotten their password to reset it online. This features comes by way of
a window that may popup if the user has supplied an invalid password two times
in a row. (Note: This does not apply when signing on as Guest or at New
User). The first screen that pops up is a word verification screen.
The user must simply write the letters in a box that are displayed from an
image. Upon doing this the user is brought to the next and most important
screen in the process. This is the Member Verification screen where they
must enter the First Name, Last Name, and the Daytime and Evening Phone Number
along with the Last 4 Digits of their billing method account number or the
answer to an account security question (if one is set). If an account
security question is in place, it will only ask the user for the First Name and
Last Name, and the answer to the account security question. It will not
ask for the phone numbers or the last four digits of the billing method.</DIV>
<DIV> </DIV>
<DIV>While these may not be the most secure items to ask for to begin with,
there is an issue with user input validation. To successfully reset the
password for an account, the user does NOT need to supply the full first or last
name. In fact, only the first letter of both is required. If the
name on my account were Homer Simpson, all I would need to do is type in H and S
for the first and last name. The next issue is that it does not appear to
check both daytime and evening phone numbers. In my limited testing, I
have found that you can simply enter one correct phone number in either field
and the second phone number does not matter (in fact you can just put
555-555-5555). However, in their credit it appears that the answer to the
security question must be complete and exactly as originally typed. Also, if the
last four digits of the billing method comes up, the exact and entire four must
be entered correctly for validation.</DIV>
<DIV> </DIV>
<DIV>This results in a problem with only having to supply a limited bit of
information to reset a password. On an even more extreme note, this could
also be used to discover information about an account. The user is given 4
tries to get the information correct to reset the password. If the user
enters some fields correctly but others incorrectly, the Online Reset window
will return the correct fields with the previously entered information and leave
all invalid fields blank. This can be used to verify a name, phone number,
and billing digits on the account.</DIV>
<DIV> </DIV>
<DIV>Solutions: </DIV>
<DIV> </DIV>
<DIV>At the login screen intentionally typed your password incorrectly two
times. When the password reset window pops up, enter the word verification
and then go to Member Verification screen. At this point just enter bogus
information four times until it boots you off. This will disable the
online reset feature for the screen name since the information was entered
incorrectly. The feature will probably be turned on again at some point
after a given period of time, but I believe it is a rather long period of that's
the case. Also, don't use a security question with an easy answer that
people might know or is flat out guessable (i.e. What is my favorite
color?).</DIV>
<DIV> </DIV>
<DIV><BR>Vendor Response:</DIV>
<DIV> </DIV>
<DIV>After my previous bug reports related to America Online, I noted that I had
knowledge of more (and I still do) and would be more than willing to share this
information with the vendor if they cared to hear it. I received a
response from AOL not too long after that, but it seems that maintaining the
communication is rather difficult for some reason. The vendor has not been
notified of this problem, atleast not until reading this.</DIV>
<DIV> </DIV>
<DIV>My e-mail address hasn't change and works fine: <<A
href="mailto:steven@lovebug.org">steven@lovebug.org</A>> | If anyone at AOL
is interested in knowing bugs prior to disclosure, feel free to drop me a
line. There's a few more you might like to know about :-)</DIV>
<DIV> </DIV>
<DIV>Credits:</DIV>
<DIV> </DIV>
<DIV>Myself and the year 2005.</DIV>
<DIV> </DIV>
<DIV>Go Hokies! Sugar Bowl Time! :D</DIV>
<DIV> </DIV>
<DIV><BR>-Steven<BR><A
href="mailto:steven@lovebug.org">steven@lovebug.org</A></DIV>
<DIV> </DIV>
<DIV></FONT> </DIV></BODY></HTML>