SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   AOL Journals Vendors:   America Online, Inc.
AOL Journals Discloses E-mail Addresses to Remote Users
SecurityTracker Alert ID:  1011900
SecurityTracker URL:  http://securitytracker.com/id/1011900
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 22 2004
Impact:   Disclosure of user information
Exploit Included:  Yes  

Description:   Steven from lovebug.org reported an information disclosure vulnerability in AOL Journals. A remote user can obtain user e-mail addresses.

It is reported that that a link on the journal that offers an Atom or RSS feed for the target user's weblog displays the full path to the target user's feed, including the username (e-mail address). A remote user can increment through the established BlogID values to obtain a large number of AOL e-mail addresses in a short period of time.

A demonstration exploit URL is of the following form:

http://[target]/_do/rss_popup?blogID=[blog ID number]

The original advisory is available at:

http://www.lovebug.org/aoljournals_advisory.txt

Impact:   A remote user can obtain e-mail addresses for AOL Journal users.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.aol.com/ (Links to External Site)
Cause:   Access control error

Message History:   None.


 Source Message Contents

Subject:  AOL Journals BlogID incrementing discloses account names and e-mail


Date:          October 22, 2004
Vendor:      America Online Inc.
Issue:          AOL Journals BlogID incrementing discloses account names and
e-mail addresses
URL:          http://journals.aol.com / AOL Keyword: Journals
Advisory:    http://www.lovebug.org/aoljournals_advisory.txt


Service Overview:

AOL Journals is basically America Online's version of a blog (weblog) for
AOL members/subscribers (excludes AIM users).  It allows them to post
messages by logging into the service or by sending an instant message to the
screen name "AOL Journals"

Issue:

The issue lies within the Atom/RSS feed option for users.  There is a link
on the journals that would allow users to get an Atom or RSS feed for that
weblog.  The webpage that pops up containing these links to the feeds
displays the full path to the user's feed (which includes their username,
which is subsequently their e-mail address).  The link to the feeds,
however, does not use the username in conjunction with the blog name.
Instead it uses a BlogID number which appears to just be incremented as
blogs are created.

As a result an attacker could increment through the numbers and obtain
thousands of user e-mail addresses.  This flaw is especially noteworthy due
to the easy and speed at which an attacker could obtain the usernames.
Also, the username and blog names could be easily traversed through to gain
information on the user that could be used in conjunction with targeted spam
among other things.

Here is an example of the URL:

http://journals.aol.com/_do/rss_popup?blogID=#

Obviously replace # with a number.  The current/newest ID# is in excess of
700000.  Some numbers will return an error (they no longer exist) or they
will be for the same username.  If a user chooses to create a new blog it
will start a new BlogID.

Solutions:

Don't tie the BlogID feed into the Atom/RSS feeds.

Vendor Response:

As mentioned in previous advisories related to America Online, there has
been no report to the vendor.  All previous attempts to report bugs in
America Online have gone ignored.  They also do not provide a point of
contact for reporting bugs.  However, all contact with others employees at
America Online in related departments has yielded negative or no response.

Once again, if America Online would like to provide a point of contact for
bugs, I would gladly contact them prior to disclosure.  E-mail:
steven@lovebug.org | Yes, there are currently more 'known' bugs.

Credits:

welcome.wav & gotmail.wav

Go Hokies! :D


-Steven
steven@lovebug.org
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC