This is a multi-part message in MIME format. ------=_NextPart_000_000F_01C4EFEE.E02543D0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Vendor: America Online Inc. Date: January 1, 2005 Issue: AOL's Online Password Reset feature does not fully validate = user information URL: http://www.aol.com=20 Advisory: http://www.lovebug.org/aolpwreset_advisory.txt Service Overview: This report is in reference to the Online Password Reset that exists for = the AOL client for paying user accounts and not AOL Instant Messenger. = I think chances are if you're reading this, you should be familiar that = AOL is still the world's largest Internet Service Provider. Issue: AOL has an Online Password Reset feature that enables users that have = forgotten their password to reset it online. This features comes by way = of a window that may popup if the user has supplied an invalid password = two times in a row. (Note: This does not apply when signing on as Guest = or at New User). The first screen that pops up is a word verification = screen. The user must simply write the letters in a box that are = displayed from an image. Upon doing this the user is brought to the = next and most important screen in the process. This is the Member = Verification screen where they must enter the First Name, Last Name, and = the Daytime and Evening Phone Number along with the Last 4 Digits of = their billing method account number or the answer to an account security = question (if one is set). If an account security question is in place, = it will only ask the user for the First Name and Last Name, and the = answer to the account security question. It will not ask for the phone = numbers or the last four digits of the billing method. While these may not be the most secure items to ask for to begin with, = there is an issue with user input validation. To successfully reset the = password for an account, the user does NOT need to supply the full first = or last name. In fact, only the first letter of both is required. If = the name on my account were Homer Simpson, all I would need to do is = type in H and S for the first and last name. The next issue is that it = does not appear to check both daytime and evening phone numbers. In my = limited testing, I have found that you can simply enter one correct = phone number in either field and the second phone number does not matter = (in fact you can just put 555-555-5555). However, in their credit it = appears that the answer to the security question must be complete and = exactly as originally typed. Also, if the last four digits of the = billing method comes up, the exact and entire four must be entered = correctly for validation. This results in a problem with only having to supply a limited bit of = information to reset a password. On an even more extreme note, this = could also be used to discover information about an account. The user = is given 4 tries to get the information correct to reset the password. = If the user enters some fields correctly but others incorrectly, the = Online Reset window will return the correct fields with the previously = entered information and leave all invalid fields blank. This can be = used to verify a name, phone number, and billing digits on the account. Solutions:=20 At the login screen intentionally typed your password incorrectly two = times. When the password reset window pops up, enter the word = verification and then go to Member Verification screen. At this point = just enter bogus information four times until it boots you off. This = will disable the online reset feature for the screen name since the = information was entered incorrectly. The feature will probably be = turned on again at some point after a given period of time, but I = believe it is a rather long period of that's the case. Also, don't use = a security question with an easy answer that people might know or is = flat out guessable (i.e. What is my favorite color?). Vendor Response: After my previous bug reports related to America Online, I noted that I = had knowledge of more (and I still do) and would be more than willing to = share this information with the vendor if they cared to hear it. I = received a response from AOL not too long after that, but it seems that = maintaining the communication is rather difficult for some reason. The = vendor has not been notified of this problem, atleast not until reading = this. My e-mail address hasn't change and works fine: | = If anyone at AOL is interested in knowing bugs prior to disclosure, feel = free to drop me a line. There's a few more you might like to know about = :-) Credits: Myself and the year 2005. Go Hokies! Sugar Bowl Time! :D -Steven steven@lovebug.org ------=_NextPart_000_000F_01C4EFEE.E02543D0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Vendor:   America Online=20 Inc.
Date:     January 1,=20 2005
Issue:    AOL's Online Password Reset feature = does not=20 fully validate user information
URL:      http://www.aol.com
Advisory: http://www.lovebu= g.org/aolpwreset_advisory.txt
 

Service Overview:
 
This report is in reference to the Online Password Reset that = exists for=20 the AOL client for paying user accounts and not AOL Instant = Messenger.  I=20 think chances are if you're reading this, you should be familiar that = AOL is=20 still the world's largest Internet Service Provider.
 
Issue:
 
AOL has an Online Password Reset feature that enables users that = have=20 forgotten their password to reset it online.  This features comes = by way of=20 a window that may popup if the user has supplied an invalid password two = times=20 in a row. (Note: This does not apply when signing on as Guest or at New=20 User).  The first screen that pops up is a word verification = screen. =20 The user must simply write the letters in a box that are displayed from = an=20 image.  Upon doing this the user is brought to the next and most = important=20 screen in the process.  This is the Member Verification screen = where they=20 must enter the First Name, Last Name, and the Daytime and Evening Phone = Number=20 along with the Last 4 Digits of their billing method account number or = the=20 answer to an account security question (if one is set).  If an = account=20 security question is in place, it will only ask the user for the First = Name and=20 Last Name, and the answer to the account security question.  It = will not=20 ask for the phone numbers or the last four digits of the billing = method.
 
While these may not be the most secure items to ask for to begin = with,=20 there is an issue with user input validation.  To successfully = reset the=20 password for an account, the user does NOT need to supply the full first = or last=20 name.  In fact, only the first letter of both is required.  If = the=20 name on my account were Homer Simpson, all I would need to do is type in = H and S=20 for the first and last name.  The next issue is that it does not = appear to=20 check both daytime and evening phone numbers.  In my limited = testing, I=20 have found that you can simply enter one correct phone number in either = field=20 and the second phone number does not matter (in fact you can just put=20 555-555-5555).  However, in their credit it appears that the answer = to the=20 security question must be complete and exactly as originally typed. = Also, if the=20 last four digits of the billing method comes up, the exact and entire = four must=20 be entered correctly for validation.
 
This results in a problem with only having to supply a limited bit = of=20 information to reset a password.  On an even more extreme note, = this could=20 also be used to discover information about an account.  The user is = given 4=20 tries to get the information correct to reset the password.  If the = user=20 enters some fields correctly but others incorrectly, the Online Reset = window=20 will return the correct fields with the previously entered information = and leave=20 all invalid fields blank.  This can be used to verify a name, phone = number,=20 and billing digits on the account.
 
Solutions:
 
At the login screen intentionally typed your password incorrectly = two=20 times.  When the password reset window pops up, enter the word = verification=20 and then go to Member Verification screen.  At this point just = enter bogus=20 information four times until it boots you off.  This will disable = the=20 online reset feature for the screen name since the information was = entered=20 incorrectly.  The feature will probably be turned on again at some = point=20 after a given period of time, but I believe it is a rather long period = of that's=20 the case.  Also, don't use a security question with an easy answer = that=20 people might know or is flat out guessable (i.e. What is my favorite=20 color?).
 

Vendor Response:
 
After my previous bug reports related to America Online, I noted = that I had=20 knowledge of more (and I still do) and would be more than willing to = share this=20 information with the vendor if they cared to hear it.  I received a = response from AOL not too long after that, but it seems that maintaining = the=20 communication is rather difficult for some reason.  The vendor has = not been=20 notified of this problem, atleast not until reading this.
 
My e-mail address hasn't change and works fine: <steven@lovebug.org> | If = anyone at AOL=20 is interested in knowing bugs prior to disclosure, feel free to drop me = a=20 line.  There's a few more you might like to know about :-)
 
Credits:
 
Myself and the year 2005.
 
Go Hokies! Sugar Bowl Time! :D
 

-Steven
steven@lovebug.org
 
 
------=_NextPart_000_000F_01C4EFEE.E02543D0--