[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] AOL's Online Password Reset feature does not fully validate user information

To: <bugtraq@xxxxxxxxxxxxxxxxx>, <bugs@xxxxxxxxxxxxxxxxxxx>, <vulnwatch@xxxxxxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxx>
Subject: [Full-Disclosure] AOL's Online Password Reset feature does not fully validate user information
From: "Steven" <steven@xxxxxxxxxxx>
Date: Sat, 1 Jan 2005 10:44:31 -0500

Vendor:   America Online Inc.
Date:     January 1, 2005
Issue:    AOL's Online Password Reset feature does not fully validate user 
information
URL:      http://www.aol.com 
Advisory: http://www.lovebug.org/aolpwreset_advisory.txt


Service Overview:

This report is in reference to the Online Password Reset that exists for the 
AOL client for paying user accounts and not AOL Instant Messenger.  I think 
chances are if you're reading this, you should be familiar that AOL is still 
the world's largest Internet Service Provider.

Issue:

AOL has an Online Password Reset feature that enables users that have forgotten 
their password to reset it online.  This features comes by way of a window that 
may popup if the user has supplied an invalid password two times in a row. 
(Note: This does not apply when signing on as Guest or at New User).  The first 
screen that pops up is a word verification screen.  The user must simply write 
the letters in a box that are displayed from an image.  Upon doing this the 
user is brought to the next and most important screen in the process.  This is 
the Member Verification screen where they must enter the First Name, Last Name, 
and the Daytime and Evening Phone Number along with the Last 4 Digits of their 
billing method account number or the answer to an account security question (if 
one is set).  If an account security question is in place, it will only ask the 
user for the First Name and Last Name, and the answer to the account security 
question.  It will not ask for the phone numbers or the last four digits of the 
billing method.

While these may not be the most secure items to ask for to begin with, there is 
an issue with user input validation.  To successfully reset the password for an 
account, the user does NOT need to supply the full first or last name.  In 
fact, only the first letter of both is required.  If the name on my account 
were Homer Simpson, all I would need to do is type in H and S for the first and 
last name.  The next issue is that it does not appear to check both daytime and 
evening phone numbers.  In my limited testing, I have found that you can simply 
enter one correct phone number in either field and the second phone number does 
not matter (in fact you can just put 555-555-5555).  However, in their credit 
it appears that the answer to the security question must be complete and 
exactly as originally typed. Also, if the last four digits of the billing 
method comes up, the exact and entire four must be entered correctly for 
validation.

This results in a problem with only having to supply a limited bit of 
information to reset a password.  On an even more extreme note, this could also 
be used to discover information about an account.  The user is given 4 tries to 
get the information correct to reset the password.  If the user enters some 
fields correctly but others incorrectly, the Online Reset window will return 
the correct fields with the previously entered information and leave all 
invalid fields blank.  This can be used to verify a name, phone number, and 
billing digits on the account.

Solutions: 

At the login screen intentionally typed your password incorrectly two times.  
When the password reset window pops up, enter the word verification and then go 
to Member Verification screen.  At this point just enter bogus information four 
times until it boots you off.  This will disable the online reset feature for 
the screen name since the information was entered incorrectly.  The feature 
will probably be turned on again at some point after a given period of time, 
but I believe it is a rather long period of that's the case.  Also, don't use a 
security question with an easy answer that people might know or is flat out 
guessable (i.e. What is my favorite color?).


Vendor Response:

After my previous bug reports related to America Online, I noted that I had 
knowledge of more (and I still do) and would be more than willing to share this 
information with the vendor if they cared to hear it.  I received a response 
from AOL not too long after that, but it seems that maintaining the 
communication is rather difficult for some reason.  The vendor has not been 
notified of this problem, atleast not until reading this.

My e-mail address hasn't change and works fine: <steven@xxxxxxxxxxx> | If 
anyone at AOL is interested in knowing bugs prior to disclosure, feel free to 
drop me a line.  There's a few more you might like to know about :-)

Credits:

Myself and the year 2005.

Go Hokies! Sugar Bowl Time! :D


-Steven
steven@xxxxxxxxxxx

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Prev by Date: Re: [Full-Disclosure] Multiple Backdoors found in eEye Products (IRIS and SecureIIS)
Next by Date: Re: [Full-Disclosure] Multiple Backdoors found in eEye Products (IRIS and Secure
Previous by thread: Re: [Full-Disclosure] Multiple Backdoors found in eEye Products (IRIS and SecureIIS)
Next by thread: Re: [Full-Disclosure] This sums up Yahoo!s security policyto a -T-
Index(es):
- Date
- Thread