Users of America Online’s instant-messaging program and system were unwittingly connected to profanity and pornography last Saturday, according to an anti-AOL Web site.
AOL Watch said that malicious hackers — more accurately known as “crackers” — inserted profane graffiti, X-rated photos and sound files throughout the “Entertainment” section in AIM Today. The AIM Today feature of AOL’s Instant Messenger (AIM) generally pops up when a user first starts the AIM program, unless the user has disabled the feature.
Links in the Entertainment that usually bring up a list of members available for chat instead displayed pornographic pictures. Also, four separate categories within the Entertainment section were taken over by the malicious hackers, who then went on to post messages in those areas. If an unsuspecting user went to two of those lists, profanity-laced audio messages would automatically play on his or her system. One page even played a song from the rock group Prodigy.
The hack incident itself lasted for more than eight hours before it was removed from AIM Today, according to AOL Watch.
AOL officials were not immediately available for comment on the incident.
David Cassel is a freelance writer who also operates the AOL Watch Web site. In an article for Salon, he said the malicious hack was carried out by three 17-year olds who have been studying the AIM system for security holes.
In an e-mail interview with InstantMessagingPlanet, Cassel said he received several e-mail tips last Saturday that the hack was in progress. After eight hours had elapsed, the list of AIM members went simply blank. “That was either because no one felt like chatting about entertainment news — or because AOL had disabled the screen-name listing feature altogether,” he said.
As far as AOL’s IM security goes, Cassel said, “I guess this is always going to be a problem when you give away free accounts for your software with minimal verification.”
While the hack did not appear to affect people who use AIM for instant messaging-based conversations, the incident itself once again brings up the issue of security on the public IM networks. Just last week, an unintended feature surrounding the installation of AIM came to light — the installation process of AIM on a PC covertly forces Microsoft Internet Explorer (IE) browsers to accept “Welcome to America Online” at free.aol.com as a “Trusted site.” Automatically designating the free.aol.com site as a Trusted site allows AOL to install cookies and even run code on a user’s PC without their knowledge.
And last January, AOL patched a security flaw in the 4.7 and 4.8 versions of AIM that potentially could have allowed destructive Internet worms to infect AIM’s 100 million+ users. Because the patch is a server-side fix, AIM users do not have to download it.
For other security-related IM stories, visit InstantMessagingPlanet’s Security archive page.
NOTE: The link to the AOLWatch.org page on the hack contains profanity. One of the links off of that page, in turn, contains pornography.
Bob Woods is the managing editor of InstantMessagingPlanet.